How to implement the control:
To satisfy this control you will need to appoint somebody within your organisation as responsible for defining and delivering your information security programme. This person will need to have an interest and strong understanding of information security, your internal business, and technology. They will also need to have the time and resource available to be able to invest into the role. If you are a small company the CISO role is typically given to whomever is responsible for the technology of the business (your CIO or CTO), or the role is picked up by an information security risk manager. You can also explore hiring a part time vCISO (virtual CISO) who is a resource who will be able to support your company in managing its security on a part time basis, usually remotely. This can be a cheaper and more efficient alternative for small companies to use but is not usually as effective as having a dedicated internal resource. If you are a large company, you will typically need to hire a dedicated and full time CISO.