02) Does your organisation have an appointed person responsible for information security, such as a CISO?
Security Governance CISO
Written by Haydn Brooks
Created on March 18, 2019
Modified on February 25, 2020

Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Please confirm the role and its responsibilities in the notes or provide a job role description (as a PDF file) as evidence.

A Chief Information Security Officer (CISO) is the most senior-level executive within an organisation that is responsible for the security of the organisation’s information assets and technology. They are responsible for leading and establishing the strategy of an organisation’s security programme and are accountable for its efficacy.

For a large company, a CISO is a full-time role that sits within risk management. The CISO will typically be a non-technical security resource who can design and manage a programme of security controls like the ones defined in the Risk Ledger framework, based on the risks to the organisation that they define. The controls themselves are managed by the area of the business that owns them – for example, a CISO may set the requirement that all staff must have background checks completed against them, and it will be up to the HR team to action that control.

For a small company, a CISO may be a part time role. As in large companies, the CISO will define the security controls the company needs to mitigate its technology and security risk and will assign owners to these controls to implement and maintain them.

A CISO may require some budget to pay for information security controls or to hire risk managers to help an organisation define and maintain its security programme. There are a number of frameworks for managing an information security programme that a CISO can use to add structure to their security programme such as ISO27001.

A CISO is also responsible for responding to security incidents within the business.

How to implement the control:

To satisfy this control you will need to appoint somebody within your organisation as responsible for defining and delivering your information security programme. This person will need to have an interest and strong understanding of information security, your internal business, and technology. They will also need to have the time and resource available to be able to invest into the role.

If you are a small company the CISO role is typically given to whomever is responsible for the technology of the business (your CIO or CTO), or the role is picked up by an information security risk manager.

You can also explore hiring a part time vCISO (virtual CISO) who is a resource who will be able to support your company in managing its security on a part time basis, usually remotely. This can be a cheaper and more efficient alternative for small companies to use but is not usually as effective as having a dedicated internal resource.

If you are a large company, you will typically need to hire a dedicated and full time CISO.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.