Content library
Risk management
Risk management procedure -report publishing and maintenance

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Creating and maintaining risk management framework -report
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

Article 5: Governance and organisation
DORA
Article 6: ICT risk management framework
DORA
See all related requirements and other information from tasks own page.
Go to >
Creating and maintaining risk management framework -report
1. Task description

Organisation must create and maintain comperhensive and well-documented a risk management framework.

The risk management framework should include at least:

  • Strategies
  • policies
  • procedures
  • protocls
  • tools

used in cyber risk management.

The risk management framework must be reviewed at least yearly.

Risk management procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
39
requirements

Examples of other requirements this task affects

5.1.1: Policies for information security
ISO 27001
T04: Turvallisuusriskien hallinta
Katakri
ID.GV-4: Processes
NIST
ID.RA-5: Risk evaluation
NIST
ID.RA-6: Risk responses
NIST
See all related requirements and other information from tasks own page.
Go to >
Risk management procedure -report publishing and maintenance
1. Task description

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities
  • The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

Identification and documentation of cyber security risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
39
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
24. Responsibility of the controller
GDPR
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
T04: Turvallisuusriskien hallinta
Katakri
ID.GV-4: Processes
NIST
See all related requirements and other information from tasks own page.
Go to >
Identification and documentation of cyber security risks
1. Task description

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Risk management policy -report publishing, informing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Risk management policy -report publishing, informing and maintenance
1. Task description

The organization has a defined cybersecurity risk management policy and it has been communicated to relevant stakeholders and been approved by the top management. The policy should include at least:

  • Basis for setting the risk management requirements and objectives based on the organizational context
  • Commitment to the cyber security risk management system
  • Strategic directions of the risk management process
  • Overview of the roles and responsibilities for risk management

The policy should be kept updated, reviewed periodically and reflect organizational changes. The task owner should also ensure that the policy is understandable and available to all parties.

Segregation of tasks in information security risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

CC5.1: Control activities for mitigation of risks
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Segregation of tasks in information security risk management
1. Task description

In the management of information security risks, the tasks must be separated if they are not compatible.

In a situation where the tasks are not compatible, but the separation of tasks is not practical, separate controls must be developed to monitor it.

Consideration of information security goals in risk assessment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

CC5.1: Control activities for mitigation of risks
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Consideration of information security goals in risk assessment
1. Task description

The organization must consider the risks for achieving information security goals. Risks related to the achievement of goals must be mitigated by setting up control measures in at least the following areas:

  • Risk assessment process
  • Organization-specific factors, such as the environment, nature, the structure of the organization and the scope of its activities
  • Essential business processes
Identification of risks endangering the continuity of operations and their handling plans
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

CC9.1: Treatment plans for business disruption risks
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Identification of risks endangering the continuity of operations and their handling plans
1. Task description
Consideration of critical functions in risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

74: Kriittisten palveluiden riskien arviointi ja hallinta
Digiturvan kokonaiskuvapalvelu
ID.BE-4: Dependencies and critical functions for delivery of critical services are established.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Consideration of critical functions in risk management
1. Task description

The organization must identify the functions critical to the continuity of its operations (e.g. services offered to the customer).

Risks related to critical operations should be identified, evaluated and handled with emphasis and regularly in cooperation with service providers.

Monitoring the status of risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
7
requirements

Examples of other requirements this task affects

19: Riskienhallinan tilanteen seuraaminen
Digiturvan kokonaiskuvapalvelu
CC5.1: Control activities for mitigation of risks
SOC 2
Article 6: ICT risk management framework
DORA
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
1.1.3: Identify the organisation’s processes for ICT risk management
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Monitoring the status of risk management
1. Task description

Implemented risk management measures and the overall situation of risk management are checked regularly.

The operating model for monitoring the status of risk management is clearly described.

Immediate reporting of critical risks to top management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

18: Kriittisten riskien raportointi
Digiturvan kokonaiskuvapalvelu
1.1.3: Identify the organisation’s processes for ICT risk management
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Immediate reporting of critical risks to top management
1. Task description

Critical risks threatening the organization's operations are reported to the organization's management immediately.

There is a clearly planned operating model for reporting.

Muutoshallintamenettelyt tietojenkäsittely-ympäristöissä (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
2
requirements

Examples of other requirements this task affects

TEK-17.3: Muutoshallintamenettelyt
Julkri
I-16: TURVALLISUUSLUOKITELLUN TIEDON KÄSITTELYYN LIITTYVÄN TIETOJENKÄSITTELY-YMPÄRISTÖN SUOJAUS KOKO ELINKAAREN AJAN – MUUTOSHALLINTAMENETTELYT
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Muutoshallintamenettelyt tietojenkäsittely-ympäristöissä (TL IV)
1. Task description
  • Tietojenkäsittely-ympäristö on dokumentoitu sellaisella tasolla, että siitä pystytään selvittämään tietojenkäsittely-ympäristössä käytetyt laitteet ja ohjelmistot versiotietoineen (laite-, käyttöjärjestelmä- ja sovellusohjelmistot) ja se tukee myös haavoittuvuuksien hallintaa.
  • Tietojenkäsittely-ympäristöjä tarkkaillaan luvattomien muutosten tai laitteistojen havaitsemiseksi. Tietojenkäsittely-ympäristön kirjanpito pidetään ajan tasalla koko elinkaaren ajan.
  • Tietojenkäsittely-ympäristön turvallisuuden toteuttamiseen liittyvän aineiston (dokumentaatiot, sähköiset kirjanpidot ja vast.) luokittelu- ja suojaamistarpeet on määritetty.
Fyysisen turvallisuuden riskien arviointi
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

FYY-01: Fyysisen turvallisuuden riskien arviointi
Julkri
F-02: Fyysisten turvatoimien riskien arviointi
Katakri 2020
8 §: Kyberturvallisuutta koskeva riskienhallinnan toimintamalli
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Fyysisen turvallisuuden riskien arviointi
1. Task description

Fyysiset turvatoimet on mitoitettava riskien arvioinnin mukaisesti. Riskien arvioinnissa tulee ottaa huomioon esimerkiksi pääsyoikeuksien hallintaan ja muihin turvallisuusjärjestelyihin liittyviin prosesseihin sisällytettävät tiedonsaantitarpeen, tehtävien eriyttämisen ja vähimpien oikeuksien periaatteet. Fyysisiä turvatoimia koskevan riskien arvioinnin tulee olla säännöllistä ja osa organisaation riskienhallinnan kokonaisuutta. Arvioiduilla riskeillä on nimetyt omistajat.

Riskien arvioinnissa on otettava huomioon kaikki asiaan kuuluvat tekijät, erityisesti

seuraavat:

  • Tietojen turvallisuusluokka ja salassapitoperuste;
  • Tietojen käsittely- ja säilytystapa sekä määrä ottaen huomioon, että tietojen suuri määrä tai kokoaminen yhteen voi edellyttää tiukempien riskienhallintatoimenpiteiden soveltamista;
  • Tietojen käsittely- ja säilytysaika
  • Tietojen käsittely- ja säilytyspaikan ympäristö: rakennuksen ympäristö, sijoittuminen rakennuksessa, tilassa tai sen osassa;
  • Hälytystilanteisiin liittyvä vasteaika
  • Ulkoistetut toiminnot, kuten huolto-, siivous-, kiinteistö- ja turvallisuuspalvelut
  • Tiedustelupalvelujen, rikollisen toiminnan ja oman henkilöstön muodostama arvioitu uhka tiedoille
Legal risks related to the service
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

HAL-06.1: Riskienhallinta - lainsäädäntöjohdannaiset riskit
Julkri
See all related requirements and other information from tasks own page.
Go to >
Legal risks related to the service
1. Task description

Lainsäädäntöjohdannaisilla riskeillä viitataan eri maiden lainsäädännössä oleviin mahdollisuuksiin velvoittaa palveluntarjoaja toimimaan yhteistyössä kyseisen maan viranomaisten kanssa, ja tarjoamaan esimerkiksi suora tai epäsuora pääsy palvelun asiakkaiden salassa pidettäviin tietoihin. Lainsäädäntöjohdannaiset riskit voivat ulottua sekä salassa pidettävän tiedon fyysiseen sijaintiin sekä muun muassa toisesta maasta käsin hallintayhteyksien kautta toteutettavaan tietojen luovutukseen. Lainsäädäntöjohdannainen tietojen luovuttaminen ja tutkimusoikeus on useissa maissa rajattu koskevaksi poliisia sekä tiedusteluviranomaisia.

Riskienarvioinnin tulisi kattaa lainsäädäntöjohdannaiset riskit vähintään seuraavien tekijöiden osalta:

  • Palvelussa käsiteltävän tiedon fyysinen sijainti koko tiedon elinkaaren ajalta, kattaen myös mahdolliset alihankinta- ja ulkoistusketjut.
  • Palvelun eri toimintojen (esimerkiksi ylläpito- ja hallintaratkaisut, varmistukset) ja komponenttien fyysinen sijainti koko tiedon elinkaaren ajalta.
  • Mahdolliset muut palvelun tuottamiseen osallistuvat tahot, esimerkiksi mahdolliset alihankinta-ja ulkoistusketjut.
  • Palvelun käyttöön ja palvelussa käsiteltäviin tietoihin sovellettava lainsäädäntö ja oikeuspaikka.
  • Toimijat, joilla voi sovellettavasta lainsäädännöstä johtuen olla pääsy palvelussa käsiteltäviin tietoihin.

Organisaation tulee varmistaa, että lainsäädäntöjohdannaiset riskit eivät rajoita palvelun soveltuvuutta sen käyttötarkoitukseen. Lainsäädäntöjohdannaisten riskien arvioinnissa on otettu huomioon koko palvelun tuottamisessa käytetty toimitusketju, ja niiden valtioiden säännökset, joiden mukaisesti palvelua tuotetaan sekä riski tietojen oikeudettomasta paljastumisesta näiden valtioiden viranomaisille.

Riskien käsittelyvaiheessa määriteltyjen tietoturvallisuustoimenpiteiden arviointi
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
4
requirements

Examples of other requirements this task affects

HAL-06: Riskienhallinta
Julkri
RISK-4: Respond to Cyber Risk
C2M2
CC5.1: Control activities for mitigation of risks
SOC 2
1.4.1: Management of Information Security Risks
TISAX
See all related requirements and other information from tasks own page.
Go to >
Riskien käsittelyvaiheessa määriteltyjen tietoturvallisuustoimenpiteiden arviointi
1. Task description

Tietoturvariskien hallintaa toteuttaessaan organisaation on tunnistettava käsittelyä vaativat riskit ja määriteltävä näille käsittelysuunnitelmat, jotka usein koostuvat uusista tietoturvallisuustoimenpiteistä.

Organisaatio on määritellyt, kuinka säännöllisesti arvioidaan kokonaisuutena määriteltyjä käsittelysuunnitelmia ja niiden oikeasuhtaisuutta riskeille täytettyihin arvioihin (riskin vakavuus ja todennäköisyys) verrattuna.

Risk level accepted by the organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
16
requirements

Examples of other requirements this task affects

ID.RM-2: Risk tolerance
NIST
ID.RM-3: Informing of risk tolerance
NIST
6.1: Information security risk management
ISO 27001
RISK-1: Establish and Maintain Cyber Risk Management Strategy and Program
C2M2
21.2.a: Risk management and information system security
NIS2
See all related requirements and other information from tasks own page.
Go to >
Risk level accepted by the organization
1. Task description

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

Approval of the risk management procedure description
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
7
requirements

Examples of other requirements this task affects

ID.RM-1: Risk management processes
NIST
Article 6: ICT risk management framework
DORA
1.4.1: Management of Information Security Risks
TISAX
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Approval of the risk management procedure description
1. Task description

The organization shall establish a description of the procedures for risk management processes and it has to be approved. The organization must agree about it with the organization's stakeholders.

Assessment of the impact and likelihood of the risks and the scales used
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
8
requirements

Examples of other requirements this task affects

ID.RA-4: Impacts on business
NIST
Article 6: ICT risk management framework
DORA
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
1.4.1: Management of Information Security Risks
TISAX
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Assessment of the impact and likelihood of the risks and the scales used
1. Task description

As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.

The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.

Process for including information security aspects in project management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

6.1.5: Information security in project management
ISO 27001
5.8: Information security in project management
ISO 27001
1.2.3: Information Security requirements in projects
TISAX
See all related requirements and other information from tasks own page.
Go to >
Process for including information security aspects in project management
1. Task description

Organisation has defined how information security aspects are integrated into used project management methods. Methods in use should require:

  • Project’s information security related risks are identified, evaluated and treated at an early stage of the project
  • Project’s information security related risks are reviewed if necessary
  • Responsibility for project’s information security is clearly attached to certain project roles
Practicing disaster plans
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Practicing disaster plans
1. Task description

The organization has to exercise executing the catastrophe plan annually or always when there are significant changes to the plan.

If possible local authorities should be included in the exercise.

Consideration of risk management results in continuity planning
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
5
requirements

Examples of other requirements this task affects

29: Jatkuvuuteen liittyvien riskien arviointi
Digiturvan kokonaiskuvapalvelu
30: Riskeihin perustuvat jatkuvuussuunnitelmat
Digiturvan kokonaiskuvapalvelu
1.4.1: Management of Information Security Risks
TISAX
See all related requirements and other information from tasks own page.
Go to >
Consideration of risk management results in continuity planning
1. Task description

The organisation has to evaluate the impact of business disruptions and risks. Based on this evaluation the organisation must prioritize themes in continuity planning to focus on the important risk related issues.

Taking the results of risk management into account in audit procedures
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

Article 6: ICT risk management framework
DORA
1.4.1: Management of Information Security Risks
TISAX
See all related requirements and other information from tasks own page.
Go to >
Taking the results of risk management into account in audit procedures
1. Task description

The organization must take into account risk management procedures results when planning internal audit topics and execution, and when executing audits.

Treatment process and documentation of identified non-conformities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
13
requirements

Examples of other requirements this task affects

10.2: Non-conformity and corrective action
ISO 27001
23: Häiriöiden- ja poikkeamienhallintaprosessi
Digiturvan kokonaiskuvapalvelu
21.4: Non-conformities and corrective actions
NIS2
CC4.2: Evaluation and communication of internal control deficiencies
SOC 2
P8.1: Periodic monitoring of privacy compliance
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Treatment process and documentation of identified non-conformities
1. Task description

From the point of view of the information security management system, non-conformities are situations in which:

  • the organisation's security requirements are not matched by the management system
  • the procedures, tasks or guidelines defined in the management system are not complied with in the organisation's day-to-day operations

In systematic security work, all detected non-conformities must be documented. To treat the non-conformity, the organization must identify and implement improvements that correct it.

Evaluation process and documentation of significant security-related changes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
33
requirements

Examples of other requirements this task affects

12.1.2: Change management
ISO 27001
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Omavalvontasuunnitelma
PR.IP-3: Configuration change control processes
NIST
TEK-17: Muutoshallintamenettelyt
Julkri
8.32: Change management
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Evaluation process and documentation of significant security-related changes
1. Task description

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

Yleiset muutostenhallintamenettelyt (ST II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

I20: Muutoshallintamenettelyt
Katakri
See all related requirements and other information from tasks own page.
Go to >
Yleiset muutostenhallintamenettelyt (ST II)
1. Task description

Järjestelmällisessä turvallisuustyössä muutosten vaikutukset on arvioitava ennakkoon, muutokset on dokumentoitava selkeästi ja toteutettava systemaattisesti.

Suojaustasolla II muutostenhallinnassa käytetään seuraavia toimintatapoja:

  • Tietojenkäsittelyyn liittyviin muutoksiin on määritelty muutoksenhallintamenettely (esim. määrittely, dokumentointi, riskien arviointi ja hallinta). Muutokset ovat jäljitettävissä.
  • Verkot, järjestelmät ja niihin liittyvät laitteet, ohjelmistot ja asetukset on dokumentoitu siten, että muutokset hyväksyttyyn kokoonpanoon pystytään havaitsemaan vertaamalla toteutusta dokumentaatioon.
  • Tietojenkäsittely-ympäristöjä tarkkaillaan luvattomien muutosten tai laitteistojen havaitsemiseksi.
  • Laitteistot suojataan luvattomien laitteiden (näppäilynauhoittimet ja vastaavat) liittämistä vastaan.
Yleiset muutostenhallintamenettelyt (ST IV-III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

I20: Muutoshallintamenettelyt
Katakri
See all related requirements and other information from tasks own page.
Go to >
Yleiset muutostenhallintamenettelyt (ST IV-III)
1. Task description

Järjestelmällisessä turvallisuustyössä muutosten vaikutukset on arvioitava ennakkoon, muutokset on dokumentoitava selkeästi ja toteutettava systemaattisesti.

Suojaustasoilla IV-III muutostenhallinnassa käytetään seuraavia toimintatapoja:

  • Tietojenkäsittelyyn liittyviin muutoksiin on määritelty muutoksenhallintamenettely (esim. määrittely, dokumentointi, riskien arviointi ja hallinta). Muutokset ovat jäljitettävissä.
  • Verkot, järjestelmät ja niihin liittyvät laitteet, ohjelmistot ja asetukset on dokumentoitu siten, että muutokset hyväksyttyyn kokoonpanoon pystytään havaitsemaan vertaamalla toteutusta dokumentaatioon.
  • Tietojenkäsittely-ympäristöjä tarkkaillaan luvattomien muutosten tai laitteistojen havaitsemiseksi.
Luettelo salassa pidettävän tiedon käsittelyä edellyttävistä työtehtävistä
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
4
requirements

Examples of other requirements this task affects

T12: Tiedonsaantitarve ja käsittelyoikeudet
Katakri
HAL-10: Henkilöstön luotettavuuden arviointi
Julkri
T-13: TIEDONSAANTITARVE JA KÄSITTELYOIKEUDET
Katakri 2020
I-06: VÄHIMPIEN OIKEUKSIEN PERIAATE – PÄÄSYOIKEUKSIEN HALLINNOINTI
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Luettelo salassa pidettävän tiedon käsittelyä edellyttävistä työtehtävistä
1. Task description

Organisaatio ylläpitää luetteloa salassa pidettävän tiedon käsittelyä edellyttävistä työtehtävistä. Pääsyoikeus salassa pidettävään tietoon myönnetään vasta, kun henkilön työtehtävistä johtuva tiedonsaantitarve on selvitetty. Luettelo sisältää tiedon salassa pidettävien tietojen käsittelyoikeuksista suojaustasoittain.

Documentation of linked risks for identified security incidents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
12
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
24. Responsibility of the controller
GDPR
T05: Jatkuvuuden hallinta
Katakri
21.2.a: Risk management and information system security
NIS2
8.3: Information security risk treatment
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Documentation of linked risks for identified security incidents
1. Task description

Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:

  • Description of the incident
  • Risks associated with the incident
  • New tasks introduced as a result of the incident
  • Other measures taken due to the incident
Regular internal monitoring of the implementation of the information security management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
21
requirements

Examples of other requirements this task affects

18.2.2: Compliance with security policies and standards
ISO 27001
5.36: Compliance with policies, rules and standards for information security
ISO 27001
4.4: Information security management system
ISO 27001
12: Digiturvan tilan seuraaminen
Digiturvan kokonaiskuvapalvelu
20.2: Top management monitoring for training
NIS2
See all related requirements and other information from tasks own page.
Go to >
Regular internal monitoring of the implementation of the information security management system
1. Task description

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.

Consideration of security-classified risks to information in risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

T-03: TIETOTURVALLISUUSRISKIEN HALLINTA
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Consideration of security-classified risks to information in risk management
1. Task description

Top management of the organization is responsible for:

  • the organization having security principles approved by the top management, which describe the connection of the organization's information security measures to the organization's operations
  • the security principles being comprehensive and appropriate in terms of protecting classified information
  • security principles guiding information security measures
  • the organization having organized sufficient monitoring of compliance with obligations and instructions related to information management of security-classified information.

Management support, guidance and responsibility are manifested in the fact that the organization has security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations. This shows that the management is committed to the organization's safety principles and that the principles represent the will of the management and support the organization's operations. The principles can be described in many different ways, for example as a single document, as part of general operating principles, policy or strategy.

Assigning responsibility of ICT-risk management to appropriate function
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

Article 6: ICT risk management framework
DORA
See all related requirements and other information from tasks own page.
Go to >
Assigning responsibility of ICT-risk management to appropriate function
1. Task description

The responsibility for the organisations ICT risk management should be assigned to a function that has a level of independence to conduct the risk management without conflicts of interest.

The independence of the risk management and segregation of management, control and audit functions needs to be ensured.

Enabling asset-based risk management in the ISMS
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
4
requirements

Examples of other requirements this task affects

Article 8: Identification
DORA
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
5.2.2: Seperation of testing and development environments
TISAX
1.1.3: Identify the organisation’s processes for ICT risk management
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Enabling asset-based risk management in the ISMS
1. Task description

The organisation must enable asset based risk management from the ISMS settings.

Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:

  • System providers
  • Data systems
  • Data stores
  • Other stakeholders
  • Other assets
Identification and assessment of risks based on the classification of data sets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
0
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Identification and assessment of risks based on the classification of data sets
1. Task description

The organization plans and prioritizes measures related to the identification and assessment of information security risks based on the classification of data sets.

Creating and maintaining risk assessment framework
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

1.1.3: Identify the organisation’s processes for ICT risk management
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Creating and maintaining risk assessment framework
1. Task description

Choose the right method for risk assessment. There are a number of different methods for identifying and assessing risk. It is important that the organisation chooses a method that makes risk assessments manageable and allows one to identify, discuss and manage the most significant risks. Examples of different methods/frameworks include ISO/IEC 27005, NIST SP 800-30 and Octave Allegro.

Strategic opportunities and positive risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Strategic opportunities and positive risks
1. Task description

Strategic opportunities can address the organization's cybersecurity risks and enhance the overall strategic positioning. Identify and include them into the organizational cybersecurity risk discussions for example by the following:

  • Define methods for identifying and integrating the strategic opportunities, such as the SWOT analysis
  • Identify and document organization's stretch goals and align organization’s risk management procedure with them
  • Calculate, document, and prioritize positive risks alongside negative risks, ensuring both are considered in decision-making processes
Risk management policy -report publishing, informing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Risk management policy -report publishing, informing and maintenance
1. Task description

The organization has a defined cybersecurity risk management policy and it has been communicated to relevant stakeholders and been approved by the top management. The policy should include at least:

  • Basis for setting the risk management requirements and objectives based on the organizational context
  • Commitment to the cyber security risk management system
  • Strategic directions of the risk management process
  • Overview of the roles and responsibilities for risk management

The policy should be kept updated, reviewed periodically and reflect organizational changes. The task owner should also ensure that the policy is understandable and available to all parties.

Evaluation of risk management strategy, results and performance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Evaluation of risk management strategy, results and performance
1. Task description

Organization has defined procedures on measuring and evaluating the performance of the risk management strategy and the outcomes of occurred risks.

  • The strategy and outcomes should be evaluated against factors such as how well the strategy has helped the management to make decisions and achieve organizational objectives, and whether the strategies or policies should be adjusted.
  • The risk management strategy should be periodically reviewed for organizational internal (e.g. risk tolerance and policies) and external (e.g. laws and regulations) compliance, also taking the occurred cybersecurity incidents into account here.
  • The organizational risk management performance is measured and reviewed with key performance indicators (KPIs), key risk indicators (KRIs) and other metrics to adjust the risk management process when needed.

The results are communicated to the top management and other relevant stakeholders, and the necessary actions and adjustments are performed.

Assessing service providers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Assessing service providers
1. Task description

The organization develops tailored assessment criteria for service providers based on their classification, incorporating standardized reports, customized questionnaires, and, when necessary, on-site audits to evaluate providers' security and compliance.

Monitoring service providers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Monitoring service providers
1. Task description

The organization regularly reassess service provider compliance, monitor release notes, implement dark web surveillance, integrate centralized dashboards, maintain open communication, establish incident response protocols, and annually update monitoring practices to ensure ongoing alignment with security standards and address any potential risks.

Conducting threat modeling
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Conducting threat modeling
1. Task description

The organization assembles a skilled threat modeling team, map the application architecture, identify potential entry points, assess risks, develop threat scenarios and mitigation strategies, document and prioritize findings, and regularly update threat models to enhance application security

Consideration of partner risks in information security risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

CC9.2: Partner risk management
SOC 2
1.3.3: Use of approved external IT services
TISAX
See all related requirements and other information from tasks own page.
Go to >
Consideration of partner risks in information security risk management
1. Task description

The organization must take into account the risks caused by partners when managing information security risks. If necessary, separate theme-specific risk assessments can be made for critical partners.



Continuous improvement of the risk management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
9
requirements

Examples of other requirements this task affects

21: Riskienhallintaprosessin kehittäminen
Digiturvan kokonaiskuvapalvelu
21.2.a: Risk management and information system security
NIS2
Article 6: ICT risk management framework
DORA
1.4.1: Management of Information Security Risks
TISAX
8 §: Kyberturvallisuutta koskeva riskienhallinnan toimintamalli
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Continuous improvement of the risk management process
1. Task description

The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.

In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.

Assessment of residual risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
9
requirements

Examples of other requirements this task affects

20: Jäännösriskien arviointi
Digiturvan kokonaiskuvapalvelu
21.2.a: Risk management and information system security
NIS2
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
7 §: Riskienhallinta
Kyberturvallisuuslaki
ID.GV-4: Governance and risk management processes address cybersecurity risks.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Assessment of residual risks
1. Task description

After risk treatment, the organization assesses the remaining level of residual risk per risk.

Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.

Regular communication of the general risk situation to the organization's management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
4
requirements

Examples of other requirements this task affects

17: Riskitilanteen raportointi johdolle
Digiturvan kokonaiskuvapalvelu
CC3.2: Identification of risks related to objectives
SOC 2
1.1.4: Identify the organisation’s tolerances for ICT risk
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Regular communication of the general risk situation to the organization's management
1. Task description

The organization's risk outlook is reported to the organization's management regularly and at least once a year.

Rules for deviating from the change management procedure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

CC3.4: Identification and assesment of changes
SOC 2
5.2.1: Change management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Rules for deviating from the change management procedure
1. Task description

The organization has to have rules for urgent emergencies when following the rules allows for deviating from standard change management procedures.

The rules should include references and comparisons to the normal change management procedures and for example needed evidence for the reason for deviation from normal procedure.

Detection of non-compliance with the change management procedure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

CC3.4: Identification and assesment of changes
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Detection of non-compliance with the change management procedure
1. Task description

The organization has to have pre-planned means of detecting non-compliance with the change management procedure.

If a deviation from the change management procedure is detected, it should be addressed in accordance with the disruption management process.

Regular external auditing of security practices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
12
requirements

Examples of other requirements this task affects

18.2.1: Independent review of information security
ISO 27001
5.35: Independent review of information security
ISO 27001
51: Tietoturvallisuuden auditointi
Digiturvan kokonaiskuvapalvelu
21.2.f: Assessing effectiveness of security measures
NIS2
CC4.1: Evaluation of internal controls
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Regular external auditing of security practices
1. Task description

Organisation carries out data security auditing regularly. Auditing is used to identify e.g. problems and development needs in data systems and system providers activity.

Important auditing partners should be listed on Other stakeholders -list.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.