SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
GV.PO: Policies, Processes, and Procedures
Establishment of Policies and Procedures
GV.PO-01: The policy for managing cybersecurity risk is established based on the organizational context, cybersecurity strategy, and priorities, and is communicated and enforced.
  • 1. Cybersecurity policies are adopted and documented for at least the following areas: a) risk management; b) roles and responsibilities; c) reliability of human resources;
  • d) compliance and security audit; e) management of cybersecurity risks in the supply chain; f) asset management; g) vulnerability management; h) operational continuity, disaster recovery, and crisis management; i) management of authentication, digital identities, and access control; j) physical security; k) staff training and awareness; l) data security; m) development, configuration, maintenance, and decommissioning of information and network systems; n) protection of networks and communications; o) security event monitoring; p) incident response and recovery.
  • 2. For the areas mentioned in point 1, policies are included at least in relation to the requirements indicated in table 1 in the appendix to this annex.
  • 3. The policies referred to in point 1 are approved by the administrative and directive bodies.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

The policy for managing cybersecurity risk is established based on the organizational context, cybersecurity strategy, and priorities, and is communicated and enforced.

Policy and Procedure Review and Update
GV.PO-02: The policy for managing cybersecurity risk is reviewed, updated, communicated, and implemented to reflect changes in requirements, threats, technology, and the organization's mission.
  • 1. The policies referred to in measure GV.PO-01 are periodically reviewed and, if appropriate, updated at least annually, as well as whenever there are changes in the regulatory context concerning cybersecurity, significant incidents, organizational changes, or shifts in threat exposure and related risks.
  • 2. For the review mentioned in point 1, compliance of the policies referred to in measure GV.PO-01 with cybersecurity regulations is verified at least.
  • 3. An updated register containing the results of the review mentioned in point 1 is maintained.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

The policy for managing cybersecurity risk is reviewed, updated, communicated, and implemented to reflect changes in requirements, threats, technology, and the organization's mission.