Content library
Katakri 2020
T-03: TIETOTURVALLISUUSRISKIEN HALLINTA

How to fill the requirement

Katakri 2020

T-03: TIETOTURVALLISUUSRISKIEN HALLINTA

Task name
Priority
Status
Theme
Policy
Other requirements
Risk management procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

T04: Turvallisuusriskien hallinta
Katakri
5.1.1: Policies for information security
ISO27 Full
8.2: Information security risk assessment
ISO27k1 Full
ID.GV-4: Processes
NIST
ID.RA-5: Risk evaluation
NIST
1. Task description

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Identification and documentation of cyber security risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

T04: Turvallisuusriskien hallinta
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
8.3: Information security risk treatment
ISO27k1 Full
1. Task description

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Consideration of security-classified risks to information in risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

T-03: TIETOTURVALLISUUSRISKIEN HALLINTA
Katakri 2020
1. Task description

Top management of the organization is responsible for:

  • the organization having security principles approved by the top management, which describe the connection of the organization's information security measures to the organization's operations
  • the security principles being comprehensive and appropriate in terms of protecting classified information
  • security principles guiding information security measures
  • the organization having organized sufficient monitoring of compliance with obligations and instructions related to information management of security-classified information.

Management support, guidance and responsibility are manifested in the fact that the organization has security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations. This shows that the management is committed to the organization's safety principles and that the principles represent the will of the management and support the organization's operations. The principles can be described in many different ways, for example as a single document, as part of general operating principles, policy or strategy.

No items found.