Content library
Tietoturvasuunnitelma (THL 3/2024)
6.2a: Jatkuvuuden hallinta

How to fill the requirement

Tietoturvasuunnitelma (THL 3/2024)

6.2a: Jatkuvuuden hallinta

Task name
Priority
Status
Theme
Policy
Other requirements
Creating and documenting continuity plans
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Continuity management
requirements

Task is fulfilling also these other security requirements

T05: Jatkuvuuden hallinta
Katakri
17.1.2: Implementing information security continuity
ISO27 Full
​​​​​​​ID.SC-5: Response and recovery
NIST
PR.IP-9: Response and recovery plans
NIST
RC.RP-1: Recovery plan
NIST
1. Task description

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

  • Event for which the plan has been made
  • Goal for recovery time
  • Responsible persons and related stakeholders and contact information
  • Planned immediate actions
  • Planned recovery steps
Identifying critical functions and related assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Continuity management
requirements

Task is fulfilling also these other security requirements

26: Kriittisten toimintojen tunnistaminen
Sec overview
72: Organisaation kriittisten palveluiden tunnistaminen
Sec overview
73: Kriittisten palveluiden riippuvuudet palvelutoimittajista
Sec overview
ASSET-1: Manage IT and OT Asset Inventory
C2M2: MIL1
6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
1. Task description

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Identifying and testing the continuity capabilities required from ICT services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Continuity management
requirements

Task is fulfilling also these other security requirements

5.30: ICT readiness for business continuity
ISO27k1 Full
6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
Article 11: Response and recovery
DORA
Article 12: Backup policies and procedures, restoration and recovery procedures and methods
DORA
5.2.8: IT service continuity planning
TISAX
1. Task description

Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.

Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.

The planning must take into account in particular:

  • responsibilities are defined for preparing for, managing and responding to disruptions in ICT services
  • in particular continuity plans related to ICT services have been created, approved and are regularly tested
  • continuity plans contain information on performance requirements, recovery time requirements and recovery actions for each important ICT service, as well as recovery point requirements and restoring actions for each important ICT service
Regular testing and review of continuity plans
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Continuity management
requirements

Task is fulfilling also these other security requirements

17.1.3: Verify, review and evaluate information security continuity
ISO27 Full
​​​​​​​ID.SC-5: Response and recovery
NIST
PR.IP-10: Response and recovery plan tests
NIST
RS.IM-2: Response strategies update
NIST
RC.IM-2: Recovery strategies
NIST
1. Task description

The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.

Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners

In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.

Ensuring the reliability of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Continuity management
requirements

Task is fulfilling also these other security requirements

6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
Article 7: ICT systems, protocols and tools
DORA
Article 9: Prevention
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident.
CyFun
1. Task description

To ensure the reliability of the systems, the following measures should be taken:

  • Duplication of the systems
  • Planned temporary solutions in case of problem situations
  • Spare parts available
  • Using special components
  • Active monitoring
  • Active maintenance activities

Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.

Ohjeiden saatavuuden varmistaminen poikkeustilanteissa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Social and health services security plan
System's user instructions and support
requirements

Task is fulfilling also these other security requirements

6.4: Menettelytavat virhe- ja ongelmatilanteissa
Self-monitoring
6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
1. Task description

Omavaltontasuunnitelmassa on kuvattava, kuinka varmistetaan ohjeiden saatavuus poikkeustilanteesta huolimatta silloin, kun niitä tarvitaan.

No items found.