Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Please provide the documented roles (as a PDF file) as evidence.
What is it?
The strategic role and importance of information security means that it must be supported at senior management level. Only in this way can the security organisation have the required support to effectively deliver on its mission. Therefore, this support, as well as the defined responsibility should be clearly documented.
Ultimately, the overall responsibility may rest with one or more members of the organisation or may be split into specific parts assigned to specific individuals.
Why should I have it?
Since security programmes, policies, and processes typically need support in order to be effectively applied throughout the organisation and maintained, clearly documenting how senior managers of the organisation are responsible helps increase faith that the security programme is successfully implemented and supported.
The documentation that formally establishes and/or recognises your security function should include ultimate responsibility for Information Security. This is typically at senior management level but may be delegated down to the head of the security organisation under provision of adequate resource and authority.
This can be as part of a founding charter, executive charter, or any other type of document as long as it is part of your ISMS (Information Security Management System).
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email email@example.com. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.