Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning).
An owner is assigned to each data set. The owner is responsible for the life cycle of the information asset and is responsible for performing the management tasks related to that asset.
The owner's duties include e.g.:
The owner can delegate some of the tasks, but the responsibility remains with the owner.
A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.
Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.