The organization must operate, maintain, and continuously develop a security management system.
The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.
Management must ensure that the organization has up-to-date guidance on information management and cyber security topics.
Johdon on huolehdittava siitä, että organisaatiossa on määritelty tiedonhallintalaissa (sekä muissa laeissa) säädettyjen tiedonhallinnan toteuttamiseen liittyvien tehtävien vastuut.
Vastuut voidaan määrittää Digiturvamallissa vastuuttamalla eri tiedonhallinnan osa-alueisiin (esim. tietoturvaohjeet, tietojärjestelmät, rekisterinpito, asiahallinta) liittyvät tehtävät sekä dokumentaatiokohteet.
Top management must ensure clear responsibilities / authority on at least the following themes:
The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.
In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.
If staff have conflicting goals with the security guidelines, they are unlikely to follow the guidelines.
The organization actively seeks to find poorly functioning guidelines and modify either the guidelines, tools or staff priorities to enable following the guidelines.