Content library
TISAX: Information security
1.2.2: Information Security Responsibilities

Requirement description

Objective: A successful ISMS requires clear responsibilities within the organization.

Requirements (must):"+ Responsibilities for information security within the organization are defined, documented, and assigned.
The responsible employees are defined and qualified for their task.
The required resources are available.
The contact persons are known within the organization and to relevant business partners."

Requirements (should): There is a definition and documentation of an adequate information security structure within the organization. Other relevant security roles are considered.

How to fill the requirement

TISAX: Information security

1.2.2: Information Security Responsibilities

Task name
Priority
Status
Theme
Policy
Other requirements
Description of cyber security structure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

1.2.2: Information Security Responsibilities
TISAX
See all related requirements and other information from tasks own page.
Go to >
Description of cyber security structure
1. Task description

Organisation should define and document an information security structure within the organisation. This should include the consideration of other relevant security roles.

Defining security roles and responsibilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
33
requirements

Examples of other requirements this task affects

T02: Turvallisuustyön tehtävien ja vastuiden määrittäminen
Katakri
24. Responsibility of the controller
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
ID.AM-6: Cybersecurity roles and responsibilities
NIST
ID.GV-2: Cybersecurity role coordination
NIST
See all related requirements and other information from tasks own page.
Go to >
Defining security roles and responsibilities
1. Task description

Top management must ensure clear responsibilities / authority on at least the following themes:

  • who is primarily responsible for ensuring that the information security management system complies with the information security requirements
  • who act as ISMS theme owners responsible for the main themes of the information security management system
  • who has the responsibility and authority to report to top management on the performance of the information security management system
  • who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

Amount, competence and adequacy of key cyber security personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
23
requirements

Examples of other requirements this task affects

T03: Turvallisuustyön resurssit
Katakri
32. Security of processing
GDPR
37. Designation of the data protection officer
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
ID.GV-2: Cybersecurity role coordination
NIST
See all related requirements and other information from tasks own page.
Go to >
Amount, competence and adequacy of key cyber security personnel
1. Task description

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

  • what qualifications this staff should have
  • how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
  • how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

Keeping contact with relevant authorities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
18
requirements

Examples of other requirements this task affects

Članak 37: Obavještavanje o značajnim incidentima
NIS2 Croatia
11 §: Poikkeamailmoitukset viranomaiselle
Kyberturvallisuuslaki
1.2.2: Information Security Responsibilities
TISAX
34 § 1°: Notifications d'incidents au CSIRT et aux bénéficiaires des services
NIS2 Belgium
RC.CO-1: Public relations are managed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Keeping contact with relevant authorities
1. Task description

The organization lists the relevant government actors with whom it is important to actively contact and, if necessary, get in touch quickly. These authorities include national law enforcement and supervisory authorities.

A clear contact person should be defined for the relevant authorities to act as a contact point for the organization.

Adequacy of digital security resourcing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
5
requirements

Examples of other requirements this task affects

14.5.2): Aukščiausiosios vadovybės atsakomybė
NIS2 Lithuania
70: Riittävät resurssit digiturvan kehittämiseen
Digiturvan kokonaiskuvapalvelu
1.2.2: Information Security Responsibilities
TISAX
GV.RR-03: Adequate resources for cybersecurity risk strategy and policies
NIST 2.0
31 § 1°: Approbation des mesures de gestion des risques de cybersécurité
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Adequacy of digital security resourcing
1. Task description

The organization has dedicated sufficient resources and expertise to the development of digital security as part of the implementation of the organization's strategy.

In addition, a responsible person has been named for digital security, and this theme receives enough attention in the responsible person's job description and time management.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.