The organization must define, document, and formally approve its set of cybersecurity policies and measures. This comprehensive set of measures must be appropriate for the organization's size, risk profile, and complexity, and it must be based on the findings of the official risk analysis. When defining these measures, the organization must take into account the guidelines provided in the National Cybersecurity Reference Framework (QNRCS), the latest technical developments, and relevant international standards (e.g., ISO/IEC 27001).

A process must be established to continuously monitor the latest technical developments, emerging threats, and changes to relevant cybersecurity standards and frameworks. This process should include subscribing to threat intelligence feeds, participating in industry forums, and regularly reviewing updates to the QNRCS and other adopted standards. The findings must be used to periodically review and update the organization's security measures to ensure they remain effective.

All cybersecurity measures must be selected and implemented based on the results of the organization's risk analysis. There must be a clear, documented link between each identified risk and the corresponding measure(s) chosen to mitigate it, ensuring the measures are appropriate and proportionate. This process should be documented in a Statement of Applicability (SoA) or a similar risk treatment plan. This document justifies the inclusion of specific controls and provides a rationale for any controls that are deemed not applicable.

Toteutettuja riskienhallintatoimenpiteitä sekä riskienhallinnan kokonaistilannetta tarkastalleen säännöllisesti.

Toimintamalli riskienhallinnan tilan seuraamiseen on selkeästi kuvattu.

Riskikäsittelyn toteuttamisen jälkeen organisaatio arvioi jäljelle jäävän jäännösriskin tason riskikohtaisesti.

Jäännösriskin suhteen tehdään selkeä päätökset riskin omistajan toimesta joko riskin sulkemiseksi tai riskin palauttamiseksi käsittelyjonoon.