Objective: A successful ISMS requires clear responsibilities within the organization.
Requirements (must):"+ Responsibilities for information security within the organization are defined, documented, and assigned.
The responsible employees are defined and qualified for their task.
The required resources are available.
The contact persons are known within the organization and to relevant business partners."
Requirements (should): There is a definition and documentation of an adequate information security structure within the organization. Other relevant security roles are considered.
Organisation should define and document an information security structure within the organisation. This should include the consideration of other relevant security roles.
Top management must ensure clear responsibilities / authority on at least the following themes:
The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.
In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.
The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.
The organization has defined:
The owner of the task regularly reviews the number and level of competence of the security personnel.
The organization lists the relevant government actors with whom it is important to actively contact and, if necessary, get in touch quickly. These authorities include national law enforcement and supervisory authorities.
A clear contact person should be defined for the relevant authorities to act as a contact point for the organization.
The organization has dedicated sufficient resources and expertise to the development of digital security as part of the implementation of the organization's strategy.
In addition, a responsible person has been named for digital security, and this theme receives enough attention in the responsible person's job description and time management.