The organization should define and document an information security structure that establishes clear roles, responsibilities, and reporting lines. This structure must include not only cybersecurity personnel but also other relevant security roles (e.g., physical security, safety, compliance) to ensure coordinated risk management.
Under the leadership of management, a formal organization, structure, or network of stakeholders should be established or designated to provide strategic direction, oversight, and accountability for cybersecurity-related activities. This leadership-driven approach ensures that cybersecurity receives the necessary visibility and support across the organization and aligns with broader business and risk management goals.
