Content library
TiHL: Suositus tietoturvan vähimmäisvaatimuksista
2.5: Riskienhallinta

How to fill the requirement

TiHL: Suositus tietoturvan vähimmäisvaatimuksista

2.5: Riskienhallinta

Task name
Priority
Status
Theme
Policy
Other requirements
Data system listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
32. Security of processing
GDPR
1. Task description

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

  • System purpose and linked responsibilities
  • System's data location (covered in a separate task)
  • System's maintenance and development responsibilities and linked partners (covered in a separate task)
  • When necessary system's access roles and authentication methods (covered in a separate task)
  • When necessary systems interfaces to other systems (covered in a separate task)
Documentation of data sets for data stores
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Management of data sets
requirements

Task is fulfilling also these other security requirements

T07: Tietojen luokittelu
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
15 §: Tietoaineistojen turvallisuuden varmistaminen
TiHL
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR
1. Task description

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

  • Data systems and other means used to process the data sets
  • Key categories of data in the data set (and whether it contains personal data)
  • Data retention period (discussed in more detail in a separate task)
  • Information on archiving / disposal of data (discussed in more detail in a separate task)
Risk management procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

T04: Turvallisuusriskien hallinta
Katakri
5.1.1: Policies for information security
ISO27 Full
8.2: Information security risk assessment
ISO27k1 Full
ID.GV-4: Processes
NIST
ID.RA-5: Risk evaluation
NIST
1. Task description

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Identification and documentation of cyber security risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

T04: Turvallisuusriskien hallinta
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
8.3: Information security risk treatment
ISO27k1 Full
1. Task description

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Monitoring the status of risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

19: Riskienhallinan tilanteen seuraaminen
Sec overview
CC5.1: Control activities for mitigation of risks
SOC 2
Article 6: ICT risk management framework
DORA
2.5: Riskienhallinta
TiHL: Tietoturva
1. Task description

Implemented risk management measures and the overall situation of risk management are checked regularly.

The operating model for monitoring the status of risk management is clearly described.

Assessment of the impact and likelihood of the risks and the scales used
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

ID.RA-4: Impacts on business
NIST
Article 6: ICT risk management framework
DORA
2.5: Riskienhallinta
TiHL: Tietoturva
1.4.1: Management of Information Security Risks
TISAX
1. Task description

As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.

The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.

Enabling asset-based risk management in the ISMS
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

Article 8: Identification
DORA
2.5: Riskienhallinta
TiHL: Tietoturva
5.2.2: Seperation of testing and development environments
TISAX
1. Task description

The organisation must enable asset based risk management from the ISMS settings.

Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:

  • System providers
  • Data systems
  • Data stores
  • Other stakeholders
  • Other assets
Assessment of residual risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

20: Jäännösriskien arviointi
Sec overview
21.2.a: Risk management and information system security
NIS2
2.5: Riskienhallinta
TiHL: Tietoturva
7 §: Riskienhallinta
KyberTL
ID.GV-4: Governance and risk management processes address cybersecurity risks.
CyFun
1. Task description

After risk treatment, the organization assesses the remaining level of residual risk per risk.

Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.

No items found.