Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Choose a desired framework

ISO 27001 (2022): Full

Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.

  • Management-driven tasks e.g. about ISMS management, risk evaluation and treatment and internal auditing.
  • Advanced tasks e.g. about procurement, physical security, other information assets and vulnerability management
  • Advanced documentation e.g. risks, non-conformities and improvements

Audited security expands the basics covered by Core security and advanced controls covered by Extended security.

NIS2 Directive

NIS 2 sets the baseline for cybersecurity risk management measures and reporting obligations across important industries covered by the directive, such as energy, transport, health, food, waste, public administration and digital infrastructure - and even more importantly to their supply chains.

NIS 2 tigthtens the rules and expand its scope when compared to original NIS Directive from 2016. It also adds top management accountability and tightens sanctions for non-compliance.

C2M2: MIL1

The Cybersecurity Capability Maturity Model (C2M2) helps organizations evaluate their cybersecurity capabilities and optimize security investments.

This level includes the MIL1 requirements and other measures included in other supported frameworks, giving an estimated 50% coverage of the full framework.

Cyber Essentials

Cyber Essentials is backed by the United Kingdom's government to help protect organisations, large or small, from cyber attacks. It is a good tool for getting the essentials of cyber security to a level which helps decrease the chance of your organisation to be vulnerable to basic cyber attacks.

  • Tasks for admins regarding firewall, password and device management policies and malware protection, user access control and software management.
  • Guidelines for employees regarding secure password practices and other cyber security basics.
  • Documentation of main software and hardware assets relevant for information security.
CyberFundamentals (Belgium)

The CyberFundamentals framework is created by Centre for Cybersecurity Belgium. It provides a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks, and increase your organisation's cyber resilience. The framework is based on:

  • Four commonly used cybersecurity frameworks (NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443)
  • Anonymized historical data of successful cyber-attacks. Through retro-fitting, we are able to assess what percentage of past attacks the measures of the Framework will protect you against.
  • The Cyberfundamentals are structured in 4 levels, with a subsequent level containing a little more measures than the previous one each time. A beginner level Small, followed by Basic, Important and Essential. The Essential level contains all the basic information security mesures from previous ones and introduces more advanced controls. The essential level is in line with the NIS2 directive.

    Cyberday content library

    Cyberday unravels cyber security and privacy requirements into clear tasks, which can be delegated and clearly demonstrated as done.

    Cyberday is used to show "assurance information" of implementing the task, which either mean documentation, guidelines or reports directly in Cyberday, or free descriptions of task implementation when it's executed outside of the ISMS.

    Feel free to familiarize yourself with Cyberday task content. Each task has its own page, which includes a description, connected Cyberday features and related requirements that are complied with through the task.

    Digital Operational Resilience Act (DORA)

    The Digital Operational Resilience Act (DORA) is the EU law on digital operational resilience. DORA aims to achieve a uniform high level of digital resilience across the EU. It sets out uniform requirements for information networks and systems that support financial business processes.

    DORA sets out requirements for, among other things, protection, detection, isolation, recovery and remediation in the event of a security incident. Further requirements include extensive risk and incident management, cyber threat and vulnerability sharing, requirements for resilience testing and reporting incidents to authorities.

    Digital security overview

    Digital security overview is a service developed and maintained by the Finnish Digital and population data services agency. Goal of the service is to gather information about the digital security status of public sector organisations.

    Requirements of this framework match the questions of the service.

    General Data Protection Regulation

    GDPR sets out the requirements for lawful processing of personal data and demonstrating the adequate protection of data.

    • Privacy and personal data handling guidelines for employees
    • Informing, data processor and breach management tasks for admins
    • Data processing, data transfer, privacy risk and DPIA documentation
    ISO 27001 (2013): Full

    Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.

    • Management-driven tasks e.g. about ISMS management, risk evaluation and treatment and internal auditing.
    • Advanced tasks e.g. about procurement, physical security, other information assets and vulnerability management
    • Advanced documentation e.g. risks, non-conformities and improvements

    Audited security expands the basics covered by Core security and advanced controls covered by Extended security.

    ISO 27017

    ISO 27017 is a security standard developed especially for cloud service providers and users to create a safer cloud-based environment and reduce the risk of security incidents.

    • Technical tasks related to cloud environment and shared responsibilities.
    • Advanced tasks e.g. about virtualization and monitoring cloud services

    ISO 27017 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.

    ISO 27018

    ISO 27018 is a security standard developed especially for cloud service providers to ensure risks are assessed and controls are implemented to protect personally identifiable information (PII).

    • Documentation related to processing personally identifiable information (PII).
    • Tasks related to purpose, data and retention minimization.
    • Advanced tasks related to the information security while processing PII.

    ISO 27018 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.

    ISO 27701

    ISO 27701 is a privacy extension to ISO 27001. The framework aims to upgrade the existing Information Security Management System (ISMS) with additional requirements related to processing and protecting personal data in order to establish also a Privacy Information Management System (PIMS).

    • Documentation related to processing activities, transfers and disclosures of personal data.
    • Tasks related to data subject rights and ensuring lawfulness of processing.
    • Advanced privacy-related tasks about ensuring proper consent and filling other requirements for personal data controllers and processors.

    Certifications are available for ISO 27701. As the framework extends ISO 27001, organizations seeking an ISO 27701 certification will need to have the ISO 27001 certification.

    Julkri: TL IV-I

    Cyber security evaluation criteria by Finnish authorities for Finnish public administration.

    Julkri lists 200 security measures of varying levels, which help organizations fulfill the requirements of e.g. local laws and the GDPR.

    This framework includes all the criteria from Julkri: Full framework and in addition criteria for security classified information (TL IV, TL III, TL II and TL I).

    Katakri (Finnish national security auditing criteria)

    Katakri is used when evaluating organisation's ability to secure confidential information from Finnish national authorities. It can be used to guide security work in an organisation, that wants to be ready for an audit performed by authorities.

    • Tasks for admins about security management, physical security and technical cyber security.
    • Documentation of identified and evaluated security risks and defined control measures.
    • Guidelines for employees on working on secure areas and protecting confidential data from authorities.
    Katakri 2020

    Katakri is used when evaluating organisation's ability to secure confidential information from Finnish national authorities. It can be used to guide security work in an organisation, that wants to be ready for an audit performed by authorities.

    • Tasks for admins about security management, physical security and technical cyber security.
    • Documentation of identified and evaluated security risks and defined control measures.
    • Guidelines for employees on working on secure areas and protecting confidential data from authorities.
    Kyberturvallisuuslaki (NIS2)

    Kyberturvallisuuslaki säätää tietoturvatoimenpiteistä keskeisiksi tai tärkeiksi nimetyillä toimialoilla sekä kyberturvallisuutta koskevien riskien hallinnasta. Kyberturvallisuuslaki vie Suomessa täytäntöön NIS2 -direktiivin.

    NIST Cybersecurity Framework

    NIST Cybersecurity Framework is a collaborative effort coordinated by The National Institute of Standards and Technology (NIST, part of the U.S. Department of Commerce) and involving industry, academia, and government.

    Framework is designed to help owners and operators of critical infrastructure to identify, assess and manage cyber risks.

    • Advanced tasks e.g. about risk management and incident detection, response and recovery.
    • Advanced documentation e.g. on information security risks
    • Generic cyber security guidelines for empoyees, priviliged users, senior management and other stakeholders.
    NSM ICT Security Principles (Norway)

    NCM ICT Security Principles is a framework for ICT security published and maintained by the Norwegian National Security Authority (NSM). The security principles advise businesses and organisations on how to protect their information systems from unauthorized access, damage or misuse.

    The principles focus on technological and organisational measures. Measures concerning physical security and the human perspective are generally not covered. The measures apply to both unintentional and intentional acts, although the main focus is on intentional acts.

    In this framework there are 21 security principles with a total of 118 security measures, distributed across four categories: i) identify, ii) protect and maintain, iii) detect and iv) respond and recover.

    Public administration information management act

    This Finnish law is designed to promote harmonization of information management, cyber security and digitalisation in public administration.

    • Information management -specific guidelines for employees or different sectors
    • Tasks related to setting responsibilities, reporting for public and residents, archiving and technical interfaces
    • Documentation about operational processes, data systems, data stores, data processing and related risks
    SOC 2 (Systems and Organization Controls)

    SOC 2 framework specifies how organizations should protect customer data from e.g. unauthorized access, security incidents or other vulnerabilities. It is developed by the American Institute of Certified Public Accountants (AICPA).

    SOC 2 includes 5 different requirement sets: security, availability, processing integrity, confidentiality and privacy. A SOC 2 audit can be carried out related to one or all of these criteria. Each criteria has specific requirements that the company needs to comply with by implementing controls.

    TISAX: Information security

    TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.

    This framework includes TISAX's information security requirements, which are mandatory for all TISAX participants. Framework can be further expanded with prototype protection and data protection requirements found as extension frameworks.

    TiHL: Suositus tietoturvan vähimmäisvaatimuksista

    Tiedonhallintalautakunnan suositus, joka opastaa tiedonhallintalain asettamien tietoturvallisuuden vähimmäisvaatimusten täyttämisessä, jotka kaikkien julkishallinnon organisaatioiden tulee vähintään täyttää. Vähimmäisvaatimusten osana organisaatioiden tulee tunnistaa ja arvioida tietojenkäsittelyyn liittyvät riskit sekä toteuttaa toimenpiteet riskien pienentämiseksi hyväksyttävälle tasolle.

    Tietoturvan ja tietosuojan omavalvontasuunnitelma

    Voimassa olevan asiakastietolain mukaisesti kaikkien sosiaali- ja terveydenhuollon palvelunantajien on laadittava tietosuojan, tietoturvallisuuden ja tietojärjestelmien käytön omavalvontasuunnitelma.

    THL julkaisi vuonna 2020 uuden mallin tietoturvallisuuden ja tietosuojan omavalvontasuunnitelmasta. Omavalvontasuunnitelma tukee sote-palveluntuottajia tietoturvallisuuden ja tietosuojan suunnittelussa.

    Palveluntuottaja pystyy suunnitelman avulla huomioimaan ja suunnittelemaan olennaiset tietosuojan, tietoturvallisuuden ja tietojärjestelmien käytön asiat.

    Tietoturvasuunnitelma (THL 3/2024)

    Tietoturvasuunnitelma on dokumentti, jolla sosiaali- ja terveyspalveluiden tuottajat kuvaavat tietoturvan- ja tietosuojan omavalvontaa. Tietoturvasuunnitelman täytyy kuvata kuinka palveluntuottaja täyttää asiakastietolain 27 §:n vaatimukset, joita asiakas- ja potilastietojen käsittelyyn ja niitä käsitteleviin tietojärjestelmiin liittyy. Vaatimuksia ovat mm.

    • tietojärjestelmien käyttäjillä on oltava tarvittava koulutus
    • tietojärejstelmien ylläpitoa toteuttaa vain henkilö, jolla on riittävä ammattitaitojärjestelmien käyttöohjeet on saatavilla
    • tietojärjestelmät täyttävät tarkoituksen mukaiset olennaiset vaatimuksettietojärjestelmän tietoturva ja tietosuoja on varmistettava

    Choose a desired policy topic

    Policy
    Linked frameworks
    Theme
    Tasks
    Access control and authentication
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    System management
    44
    Agreements and monitoring
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Partner management
    16
    Automatic solution procedure
    TiHL
    Backups
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Technical cyber security
    9
    Case management and archiving
    TiHL
    TiHL: Tietoturva
    Changes in employment relationships
    TiHL
    CyFun
    TISAX
    KyberTL
    Katakri 2020
    Personnel security
    9
    Cloud service management
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Development and cloud
    Connections and use of Kanta-services
    Tietoturvasuunnitelma
    Self-monitoring
    Social and health services security plan
    Continuity management
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Risk management and leadership
    22
    Cyber security in contracts
    CyFun
    TISAX
    KyberTL
    Katakri 2020
    NIS2
    Personnel security
    6
    Cyber security management
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Risk management and leadership
    43
    Cyber security training
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Personnel security
    8
    Data breach management
    DORA
    CyFun
    TISAX
    KyberTL
    Katakri 2020
    Incident management
    5
    Data classification
    NSM ICT-SP
    CyFun
    TISAX
    Katakri 2020
    TiHL: Tietoturva
    Management of data sets
    9
    Data interfaces and disclosures
    TiHL
    TiHL: Tietoturva
    Data system management
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    System management
    22
    Data system procurement
    NSM ICT-SP
    TiHL
    CyFun
    TISAX
    KyberTL
    System management
    Data transfer and disclosure
    TiHL
    TISAX
    Tietoturvasuunnitelma
    SOC 2
    Sec overview
    Privacy
    9
    Email and web browser
    NSM ICT-SP
    CyFun
    SOC 2
    Julkri
    NIST
    Email and phishing
    11
    Encryption
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Technical cyber security
    44
    Equipment maintenance and safety
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Physical security
    14
    Incident management and response
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Incident management
    23
    Informing and data subject requests
    CyFun
    TISAX
    Tietoturvasuunnitelma
    SOC 2
    Sec overview
    Privacy
    19
    Interoperability
    ISO 27017
    Development and cloud
    5
    Malware protection
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Technical cyber security
    18
    Management of data sets
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Management of data sets
    25
    Management of secure areas
    Katakri 2020
    TiHL: Tietoturva
    Katakri
    Julkri
    C2M2: MIL1
    Physical security
    24
    Mobile device management
    NSM ICT-SP
    CyFun
    TISAX
    Tietoturvasuunnitelma
    Katakri
    Remote work and mobile devices
    15
    Network security
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Technical cyber security
    33
    Non-electronic data and copies
    CyFun
    TISAX
    Katakri 2020
    Tietoturvasuunnitelma
    Katakri
    Physical security
    12
    Organizing information management
    TiHL
    TiHL: Tietoturva
    Sec overview
    Julkri
    Personnel quality responsibilities
    No linked frameworks.
    Privacy by design and default
    SOC 2
    Sec overview
    Julkri
    ISO 27701
    ISO27k1 Full
    Privacy
    13
    Process management and monitoring
    No linked frameworks.
    Processing principles and accountability
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Privacy
    Products, services and customer focus
    No linked frameworks.
    Property security
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Physical security
    28
    Quality and processes
    No linked frameworks.
    Quality management
    No linked frameworks.
    Remote work
    NSM ICT-SP
    CyFun
    TISAX
    Tietoturvasuunnitelma
    SOC 2
    Remote work and mobile devices
    11
    Removable media
    CyFun
    TISAX
    Katakri 2020
    Tietoturvasuunnitelma
    Katakri
    Management of data sets
    15
    Risk management
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Risk management and leadership
    32
    Secure development
    NSM ICT-SP
    CyFun
    TISAX
    KyberTL
    Katakri 2020
    Development and cloud
    24
    Security and responsibilities
    TISAX
    Tietoturvasuunnitelma
    SOC 2
    Sec overview
    Julkri
    Privacy
    11
    Security guidelines
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Personnel security
    5
    Security of patient data systems
    Tietoturvasuunnitelma
    Security responsibilities (SSRM)
    No linked frameworks.
    Partner management
    Security systems and logging
    NSM ICT-SP
    DORA
    TiHL
    CyFun
    TISAX
    Technical cyber security
    29
    Staff guidance and training
    Tietoturvasuunnitelma
    Self-monitoring
    Social and health services security plan
    Supplier security
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Partner management
    13
    System's user instructions and support
    Tietoturvasuunnitelma
    Self-monitoring
    Social and health services security plan
    Technical vulnerability management
    NSM ICT-SP
    DORA
    CyFun
    TISAX
    KyberTL
    Technical cyber security
    27
    Tiedonhallintamalli
    TiHL
    TiHL: Tietoturva
    Sec overview
    Julkri
    Update and patch management
    No linked frameworks.
    System management
    Virtualization
    NSM ICT-SP
    CyFun
    TISAX
    Tietoturvasuunnitelma
    SOC 2
    Technical cyber security
    5

    Choose a desired cyber security requirement

    Requirement
    ID
    Framework
    Tasks
    Information security risk management
    6.1
    ISO 27001 (2022): Full
    4
    Establish a process to identify devices and software in use at the organisation
    1.2.1
    NSM ICT Security Principles (Norway)
    2
    Reduce Cybersecurity Vulnerabilities
    THREAT-1
    C2M2: MIL1
    2
    Tietosuojan vaikutustenarviointi - Ennakkokuuleminen
    TSU-17.1
    Julkri: TL IV-I
    1
    Detected events are analysed to understand attack targets and methods.
    DE.AE-2
    CyberFundamentals (Belgium)
    4
    General Data Protection Regulation
    3
    User, device, and other asset authentication
    PR.AC-7
    NIST Cybersecurity Framework
    6
    Contact with special interest groups
    6.1.4
    ISO 27001 (2013): Full
    1
    Personnel activity is monitored to detect potential cybersecurity events.
    DE.CM-3
    CyberFundamentals (Belgium)
    4
    IT service continuity planning
    5.2.8
    TISAX: Information security
    6
    Poikkeamien havainnointi
    9.9a §
    Kyberturvallisuuslaki (NIS2)
    9
    Kriittisten toimintojen tunnistaminen
    26
    Digital security overview
    1
    Käsittelyn lainmukaisuus - Suostumus
    TSU-07.1
    Julkri: TL IV-I
    1
    Notification about breaches and incidents to affected data subjects
    P6.6
    SOC 2 (Systems and Organization Controls)
    2
    External review of ISMS
    1.5.2
    TISAX: Information security
    2
    Physical security monitoring
    7.4
    ISO 27001 (2022): Full
    3
    Handling requests
    A.7.3.9
    ISO 27701
    1
    General Data Protection Regulation
    5
    General Data Protection Regulation
    15
    Records of PII disclosure to third parties
    A.8.5.3
    ISO 27701
    1
    Procure modern and up-to-date hardware and software
    2.1.2
    NSM ICT Security Principles (Norway)
    2
    Changing default passwords
    SEC-02
    Cyber Essentials
    1
    Tietojenkäsittely-ympäristön toimijoiden tunnistaminen - TL IV
    TEK-08.4
    Julkri: TL IV-I
    1
    Asset remote management and repair
    PR.MA-2
    NIST Cybersecurity Framework
    1

    Universal cyber compliance language model: Comply with confidence and least effort

    In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

    Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
    Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
    Start your free trial
    Get to know Cyberday
    Start your free trial
    Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
    With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
    Clear framework compliance plans
    Activate relevant frameworks and turn them into actionable policies tailored to your needs.
    Credible reports to proof your compliance
    Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
    AI-powered improvement suggestions
    Focus on the most impactful improvements in your compliance with help from Cyberday AI.