The organization must operate, maintain, and continuously develop a security management system.
The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.
Top management must ensure clear responsibilities / authority on at least the following themes:
The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.
In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated.