Content library
NSM ICT Security Principles (Norway)
1.1.2: Identify the organisation’s structures and processes for security management

Requirement description

Identify the organisation’s structures and processes for security management. This would normally include a) management policies, b) management structure with well-defined responsibilities, c) processes for risk management (see 1.1.3), d) established risk tolerances (see 1.1.4), e) ensure sufficient resources and specialist skills to support the management. f) Establish structures and processes for security management if such do not exist. Ensure that they are tailored for the organisation and becomes an integrated part of the governance of the organisation.

How to fill the requirement

NSM ICT Security Principles (Norway)

1.1.2: Identify the organisation’s structures and processes for security management

Task name
Priority
Status
Theme
Policy
Other requirements
Information security policy -report publishing, informing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
40
requirements

Examples of other requirements this task affects

T01: Turvallisuusperiaatteet
Katakri
8.1: Operational planning and control
ISO 27001
5.1.2: Review of the policies for information security
ISO 27001
5: Information security policies
ISO 27001
5.1: Management direction for information security
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Information security policy -report publishing, informing and maintenance
1. Task description

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
Risk management procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
42
requirements

Examples of other requirements this task affects

T04: Turvallisuusriskien hallinta
Katakri
5.1.1: Policies for information security
ISO 27001
8.2: Information security risk assessment
ISO 27001
ID.GV-4: Processes
NIST
ID.RA-5: Risk evaluation
NIST
See all related requirements and other information from tasks own page.
Go to >
Risk management procedure -report publishing and maintenance
1. Task description

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities
  • The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

Regular internal monitoring of the implementation of the information security management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
24
requirements

Examples of other requirements this task affects

18.2.2: Compliance with security policies and standards
ISO 27001
5.36: Compliance with policies, rules and standards for information security
ISO 27001
4.4: Information security management system
ISO 27001
12: Digiturvan tilan seuraaminen
Digiturvan kokonaiskuvapalvelu
20.2: Top management monitoring for training
NIS2
See all related requirements and other information from tasks own page.
Go to >
Regular internal monitoring of the implementation of the information security management system
1. Task description

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.

Defining security roles and responsibilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
33
requirements

Examples of other requirements this task affects

24. Responsibility of the controller
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
T02: Turvallisuustyön tehtävien ja vastuiden määrittäminen
Katakri
ID.AM-6: Cybersecurity roles and responsibilities
NIST
ID.GV-2: Cybersecurity role coordination
NIST
See all related requirements and other information from tasks own page.
Go to >
Defining security roles and responsibilities
1. Task description

Top management must ensure clear responsibilities / authority on at least the following themes:

  • who is primarily responsible for ensuring that the information security management system complies with the information security requirements
  • who act as ISMS theme owners responsible for the main themes of the information security management system
  • who has the responsibility and authority to report to top management on the performance of the information security management system
  • who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

Amount, competence and adequacy of key cyber security personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
23
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
37. Designation of the data protection officer
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
T03: Turvallisuustyön resurssit
Katakri
ID.GV-2: Cybersecurity role coordination
NIST
See all related requirements and other information from tasks own page.
Go to >
Amount, competence and adequacy of key cyber security personnel
1. Task description

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

  • what qualifications this staff should have
  • how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
  • how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

Segregation of information security related duties
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
9
requirements

Examples of other requirements this task affects

6.1.2: Segregation of duties
ISO 27001
ID.RA-3: Threat identification
NIST
PR.AC-4: Access permissions and authorizations
NIST
PR.DS-5: Data leak protection
NIST
HAL-02.1: Tehtävät ja vastuut - tehtävien eriyttäminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Segregation of information security related duties
1. Task description

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

  • High-level segregation of information security responsibilities
  • Supporting segregation with good monitoring, audit trails and management supervision
Risk level accepted by the organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
19
requirements

Examples of other requirements this task affects

ID.RM-2: Risk tolerance
NIST
ID.RM-3: Informing of risk tolerance
NIST
6.1: Information security risk management
ISO 27001
RISK-1: Establish and Maintain Cyber Risk Management Strategy and Program
C2M2
21.2.a: Risk management and information system security
NIS2
See all related requirements and other information from tasks own page.
Go to >
Risk level accepted by the organization
1. Task description

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.