Read also: The Data Inspectorate is checking all 357 Norwegian municipalities
The Norwegian Data Protection Authority checks four things when they visit municipalities — and the same four things are relevant for any business. MFA on all entry points, an overview of who has access to what, a plan for what happens when something goes wrong, and someone responsible for making sure all of this works.
It doesn't have to be a ISO 27001-certified framework. It needs to be a document that answers four questions — who has access, how do we log in, what do we do in case of an incident, and who is responsible.
What does this mean to you?
Write down the answers to the four questions. It's a control system. Nothing more complicated than that.
Inspired by: The Norwegian Data Protection Authority