Upravljanje

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

• the basis for setting the organization’s security objectives
• commitment to meeting information security requirements
• commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

• the is appropriate for the organization's business idea
• the policy is communicated to the entire organization
• the policy is available to stakeholders as appropriate

Organization's top management sets security objectives. Security objectives meet the following requirements:

• they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
• they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
• they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
• they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

• defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
• determining the resources needed to manage security
• communicating the importance of cyber security
• ensuring that the work achieves the desired results
• promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

• Status of improvements (or other actions) initiated as a result of previous management reviews
• Future changes relevant to the security management system
• Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
• Stakeholder feedback on data security
• Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

The organization shall determine which issues related to the information security management system need to be communicated on a regular basis. The plan must include the answers, e.g. to the following points:

• What issues are communicated? These can be e.g. new or changed security objectives
• How and when to communicate?What channels are used and how often?
• To whom is communicated? How often for security executives, how often for the entire organization or partners.
• Who takes part? Who has the right to message and from whom, for example, messages should be approved.

Task owner will take care of the implementation of the plan and regular evaluation of its effectiveness.

The organization has clearly defined a budget dedicated to the maintenance and development of digital security. The budget is sufficient to achieve the goals set for digital security.

When budgeting for digital security, three key areas must be considered in particular - personnel costs, technology solutions and operational costs.