Content library
Kyberturvallisuuslaki (NIS2)
9.3 §: Tietojärjestelmien hankinta ja kehittäminen

Requirement description

Toimijoiden on toteutettava kyberturvallisuutta koskevan riskienhallinnan toimintamallin mukaiset oikeasuhtaiset tekniset, operatiiviset tai organisatoriset hallintatoimenpiteet viestintäverkkojen ja tietojärjestelmien turvallisuuteen kohdistuvien riskien hallitsemiseksi ja haitallisten vaikutusten estämiseksi tai minimoimiseksi.

Toimintamallissa ja siihen perustuvissa hallintatoimenpiteissä on otettava huomioon ja pidettävä yllä ajantasaisesti viestintäverkkojen ja tietojärjestelmien hankinnan, kehittämisen ja ylläpidon turvallisuus sekä tarvittavat menettelyt haavoittuvuuksien käsittelemiseksi ja julkistamiseksi.

How to fill the requirement

Kyberturvallisuuslaki (NIS2)

9.3 §: Tietojärjestelmien hankinta ja kehittäminen

Task name
Priority
Status
Theme
Policy
Other requirements
Process for managing technical vulnerabilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
36
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO27 Full
14.2.1: Secure development policy
ISO27 Full
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
RS.AN-5: Vulnerability management process
NIST
See all related requirements and other information from tasks own page.
Go to >
Process for managing technical vulnerabilities
1. Task description

The organization has defined a process for addressing identified technical vulnerabilities.

Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:

  • risks related to the vulnerability and the necessary actions are identified (e.g. patching the system or other management tasks)
  • necessary actions are scheduled
  • all actions taken are documented
Separation of production, testing and development environments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
25
requirements

Examples of other requirements this task affects

12.5: Control of operational software
ISO27 Full
12.1.4: Separation of development, testing and operational environments
ISO27 Full
12.5.1: Installation of software on operational systems
ISO27 Full
14.2.6: Secure development environment
ISO27 Full
PR.DS-7: The development and testing environments
NIST
See all related requirements and other information from tasks own page.
Go to >
Separation of production, testing and development environments
1. Task description

Software under development, testing and production is run in differentiated technical environments in order to ensure the quality of development work in an environment that adapts to the production environment and, on the other hand, the production environment is not disturbed by unfinished development.

Sensitive or personal data of users is not copied and used in a development environment.

General rules for the procurement of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
15
requirements

Examples of other requirements this task affects

14.1.1: Information security requirements analysis and specification
ISO27 Full
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
HAL-16: Hankintojen turvallisuus
Julkri
5.23: Information security for use of cloud services
ISO27k1 Full
52: Tietoturva- ja tietousojavaatimukset hankintavaatimuksissa
Sec overview
See all related requirements and other information from tasks own page.
Go to >
General rules for the procurement of data systems
1. Task description

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Monitoring of technical vulnerability communications
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
3
requirements

Examples of other requirements this task affects

50: Teknisten haavoittuvuuksien seuranta
Sec overview
THREAT-1: Reduce Cybersecurity Vulnerabilities
C2M2: MIL1
9.3 §: Tietojärjestelmien hankinta ja kehittäminen
KyberTL
See all related requirements and other information from tasks own page.
Go to >
Monitoring of technical vulnerability communications
1. Task description

The organization monitors information about technical vulnerabilities of the information systems in use. When relevant technical vulnerabilities are detected, the organization takes action according to the planned operating model.

Defining standard templates for secure configurations
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
12
requirements

Examples of other requirements this task affects

8.9: Configuration management
ISO27k1 Full
ASSET-3: Manage IT and OT Asset Configuration
C2M2: MIL1
CC7.1: Procedures for monitoring changes to configurations
SOC 2
1.2.4: Definition of responsibilities with service providers
TISAX
5.3.2: Network device requirements
TISAX
See all related requirements and other information from tasks own page.
Go to >
Defining standard templates for secure configurations
1. Task description

Organization must be able to monitor that devices, data systems and networks are maintained in accordance with the defined configurations (including security features) both during the implementation phase and throughout their entire life cycle.

For this, the organization has defined standard templates for secure configurations of devices, data systems and networks. When specifying standard templates, the following are taken into account:

  • publicly available guidelines (e.g. templates from suppliers and independent security organizations)
  • the level of protection required for different assets
  • fulfilling related information security requirements
  • feasibility and applicability of the configurations to the organization's operations

Standard templates should be checked regularly and updated when significant new threats or vulnerabilities need to be responded to or new software or hardware versions are released.

The following points should be taken into account when defining standard templates:

  • the number of root-level rights is minimized
  • unnecessary access rights are disabled
  • unnecessary functions and services are deactivated
  • access to powerful utilities and important settings is strictly controlled
  • the clocks are synchronized
  • the supplier's default passwords are changed immediately and the security-related settings are checked
  • timeout functions are used if necessary (e.g. automatic logout)
  • license requirements are met
Protection and minimisation of test data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
9
requirements

Examples of other requirements this task affects

14.3: Test data
ISO27 Full
14.3.1: Protection of test data
ISO27 Full
8.33: Test information
ISO27k1 Full
21.2.e: Secure system acquisition and development
NIS2
5.3.1: Information Security in new systems
TISAX
See all related requirements and other information from tasks own page.
Go to >
Protection and minimisation of test data
1. Task description

The data and other materials used for testing should be carefully selected and protected.

Production information that contains personal or other confidential information should not be used for testing purposes.

Guidelines for secure development
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
20
requirements

Examples of other requirements this task affects

14.2.1: Secure development policy
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
8.25: Secure development life cycle
ISO27k1 Full
8.27: Secure system architecture and engineering principles
ISO27k1 Full
See all related requirements and other information from tasks own page.
Go to >
Guidelines for secure development
1. Task description

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

  • safety requirements of the development environment
  • instructions for secure coding of the programming languages used
  • safety requirements at the design stage of properties or projects
  • secure software repositories
  • version control security requirements
  • the skills required from developers to avoid, discover and fix vulnerabilities
  • compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Process for monitoring and tracking outsourced development work
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
12
requirements

Examples of other requirements this task affects

14.2.7: Outsourced development
ISO27 Full
DE.CM-6: External service provider activity monitoring
NIST
8.28: Secure coding
ISO27k1 Full
8.30: Outsourced development
ISO27k1 Full
21.2.e: Secure system acquisition and development
NIS2
See all related requirements and other information from tasks own page.
Go to >
Process for monitoring and tracking outsourced development work
1. Task description

Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.

We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:

  • policies for reviewing and approving generated code
  • evidence of testing activities performed by the partner
  • communication practices
  • contractual rights to audit the development process and management tools
  • documentation requirements for code generation
Change management procedure for significant changes to data processing services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
23
requirements

Examples of other requirements this task affects

14.2.2: System change control procedures
ISO27 Full
14.2.4: Restrictions on changes to software packages
ISO27 Full
PR.DS-6: Integrity checking
NIST
TEK-17: Muutoshallintamenettelyt
Julkri
8.32: Change management
ISO27k1 Full
See all related requirements and other information from tasks own page.
Go to >
Change management procedure for significant changes to data processing services
1. Task description

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Security rules for the development and acquisition of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
24
requirements

Examples of other requirements this task affects

14.1.1: Information security requirements analysis and specification
ISO27 Full
14.1.2: Securing application services on public networks
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
Katakri
See all related requirements and other information from tasks own page.
Go to >
Security rules for the development and acquisition of data systems
1. Task description

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

Network areas and structurally secure network design
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
21
requirements

Examples of other requirements this task affects

13.1.3: Segregation in networks
ISO27 Full
PR.AC-5: Network integrity
NIST
8.22: Segregation of networks
ISO27k1 Full
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2: MIL1
CC6.6: Logical access security measures against threats from sources outside system boundries
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Network areas and structurally secure network design
1. Task description

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

  • trust level (eg public, workstations, server)
  • organizational units (eg HR, financial management)
  • or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

Regular critical code identification and verification
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
14
requirements

Examples of other requirements this task affects

14.2.3: Technical review of applications after operating platform changes
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
14.2.9: System acceptance testing
ISO27 Full
8.27: Secure system architecture and engineering principles
ISO27k1 Full
21.2.e: Secure system acquisition and development
NIS2
See all related requirements and other information from tasks own page.
Go to >
Regular critical code identification and verification
1. Task description

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.
1.1 (MIL2): Manage IT and OT Asset Inventory
C2M2: MIL1
1.1 (MIL3): Manage IT and OT Asset Inventory
C2M2: MIL1
1.1.1: Availability of information security policies
TISAX
1.1.1: Identify the organisation’s strategy and priorities
NSM ICT-SP
1.1.2: Identify the organisation’s structures and processes for security management
NSM ICT-SP
1.1.3: Identify the organisation’s processes for ICT risk management
NSM ICT-SP
1.1.4: Identify the organisation’s tolerances for ICT risk
NSM ICT-SP
1.1.5: Identify the organisation’s deliverables, information systems and supporting ICT functions
NSM ICT-SP
1.1.6: Identify information processing and data flow
NSM ICT-SP
1.2 (MIL2): Manage Information Asset Inventory
C2M2: MIL1
1.2 (MIL3): Manage Information Asset Inventory
C2M2: MIL1
1.2.1: Establish a process to identify devices and software in use at the organisation
NSM ICT-SP
1.2.1: Scope of Information Security management
TISAX
1.2.2: Establish organisational guidelines for approved devices and software
NSM ICT-SP
1.2.2: Information Security Responsibilities
TISAX
1.2.3: Identify devices in use at the organisation
NSM ICT-SP
1.2.3: Information Security requirements in projects
TISAX
1.2.4: Definition of responsibilities with service providers
TISAX
1.2.4: Identify the software in use at the organisation
NSM ICT-SP
1.2: Manage Information Asset Inventory
C2M2: MIL1
1.3 (MIL2): Manage IT and OT Asset Configuration
C2M2: MIL1
1.3 (MIL3): Manage IT and OT Asset Configuration
C2M2: MIL1
1.3.1: Identification of information assets
TISAX
1.3.1: Identify the users of the information systems
NSM ICT-SP
1.3.2: Classification of information assets
TISAX
1.3.2: Identify and define the different user categories
NSM ICT-SP
1.3.3: Identify roles and responsibilities linked especially to ICT security
NSM ICT-SP
1.3.3: Use of approved external IT services
TISAX
1.3.4: Use of approved software
TISAX
1.3: Manage IT and OT Asset Configuration
C2M2: MIL1
1.4 (MIL2): Manage Changes to IT and OT Assets
C2M2: MIL1
1.4 (MIL3): Manage Changes to IT and OT Assets
C2M2: MIL1
1.4.1: Management of Information Security Risks
TISAX
1.4: Manage Changes to IT and OT Assets
C2M2: MIL1
1.5 (MIL1): Management Activities for the ASSET domain
C2M2: MIL1
1.5 (MIL2): Management Activities for the ASSET domain
C2M2: MIL1
1.5 (MIL3): Management Activities for the ASSET domain
C2M2: MIL1
1.5.1: Assessment of policies and requirements
TISAX
1.5.2: External review of ISMS
TISAX
1.5: Management Activities for the ASSET domain
C2M2: MIL1
1.6.1: Reporting of security events
TISAX
1.6.2: Management of reported events
TISAX
1.6.3: Crisis preparedness
TISAX
10 §: Johdon vastuu
KyberTL
10. Processing of personal data relating to criminal convictions and offences
GDPR
10.1 (MIL2): Establish Cybersecurity Program Strategy
C2M2: MIL1
10.1 (MIL3): Establish Cybersecurity Program Strategy
C2M2: MIL1
10.1.1: Policy on the use of cryptographic controls
ISO27 Full
10.1.2: Key management
ISO27 Full
10.1.2: Key management
ISO 27017
10.1: Continuous improvement
ISO27k1 Full
10.1: Cryptographic controls
ISO27 Full
10.1: Cryptographic controls
ISO 27017
10.1: Establish Cybersecurity Program Strategy
C2M2: MIL1
10.2 (MIL2): Establish and Maintain Cybersecurity Program
C2M2: MIL1
10.2 (MIL3): Establish and Maintain Cybersecurity Program
C2M2: MIL1
10.2: Establish and Maintain Cybersecurity Program
C2M2: MIL1
10.2: Non-conformity and corrective action
ISO27k1 Full
10.3 (MIL1): Management Activities for the PROGRAM domain
C2M2: MIL1
10.3 (MIL2): Management Activities for the PROGRAM domain
C2M2: MIL1
10.3 (MIL3): Management Activities for the PROGRAM domain
C2M2: MIL1
10.3: Management Activities for the PROGRAM domain
C2M2: MIL1
10: Cryptography
ISO27 Full
10: Cryptography
ISO 27017
10: Cybersecurity Program Management (PROGRAM)
C2M2: MIL1
10: Prosessi väärinkäytöksiin reagoimiseksi
Sec overview
11 §: Poikkeamailmoitukset viranomaiselle
KyberTL
11. Processing which does not require identification
GDPR
11.1.1: Physical security perimeter
ISO27 Full
11.1.2: Physical entry controls
ISO27 Full
11.1.3: Securing offices, rooms and facilities
ISO27 Full
11.1.4: Protecting against external and environmental threats
ISO27 Full
11.1.5: Working in secure areas
ISO27 Full
11.1.6: Delivery and loading areas
ISO27 Full
11.1: Secure areas
ISO27 Full
11.2.1: Equipment siting and protection
ISO27 Full
11.2.2: Supporting utilities
ISO27 Full
11.2.3: Cabling security
ISO27 Full
11.2.4: Equipment maintenance
ISO27 Full
11.2.5: Removal of assets
ISO27 Full
11.2.6: Security of equipment and assets off-premises
ISO27 Full
11.2.7: Secure disposal or re-use of equipment
ISO27 Full
11.2.7: Secure disposal or re-use of equipment
ISO 27017
11.2.8: Unattended user equipment
ISO27 Full
11.2.9: Clear desk and clear screen policy
ISO27 Full
11.2: Equipment
ISO27 Full
11.2: Equipment
ISO 27017
11: Digiturvan mittarien määrittäminen
Sec overview
11: Physical and environmental security
ISO27 Full
11: Physical and environmental security
ISO 27017
12 §: Luotettavuutta edellyttävien tehtävien tunnistaminen ja luotettavuudesta varmistuminen
TiHL
12 §: Poikkeamaa koskeva väliraportti
KyberTL
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
12.1.1: Documented operating procedures
ISO27 Full
12.1.2: Change management
ISO27 Full
12.1.3: Capacity management
ISO27 Full
12.1.4: Separation of development, testing and operational environments
ISO27 Full
12.1: Operational procedures and responsibilities
ISO27 Full
12.2.1: Controls against malware
ISO27 Full
12.2: Protection from malware
ISO27 Full