Organization's top management sets security objectives. Security objectives meet the following requirements:
In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.
The organization has an information security policy developed and approved by top management. The policy shall include at least the following:
In addition, the task owner shall ensure that:
The organization has clearly defined a budget dedicated to the maintenance and development of digital security. The budget is sufficient to achieve the goals set for digital security.
When budgeting for digital security, three key areas must be considered in particular - personnel costs, technology solutions and operational costs.
Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.
The management review shall address and comment on at least the following:
Documented information on the execution and results of reviews must be maintained.
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
The ISMS should monitor the implementation of the tasks and guidelines recorded therein.
The task owner should regularly review the implementation status of the ISMS as a whole.