Identify the organisation’s structures and processes for security management

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

• the basis for setting the organization’s security objectives
• commitment to meeting information security requirements
• commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

• the is appropriate for the organization's business idea
• the policy is communicated to the entire organization
• the policy is available to stakeholders as appropriate

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

• Risk identification methods
• Methods for risk analysis
• Criteria for risk evaluation (impact and likelihood)
• Risk priorisation, treatment options and defining control tasks
• Risk acceptance criteria
• Process implementation cycle, resourcing and responsibilities
• The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.

Top management must ensure clear responsibilities / authority on at least the following themes:

• who is primarily responsible for ensuring that the information security management system complies with the information security requirements
• who act as ISMS theme owners responsible for the main themes of the information security management system
• who has the responsibility and authority to report to top management on the performance of the information security management system
• who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

• what qualifications this staff should have
• how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
• how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

• High-level segregation of information security responsibilities
• Supporting segregation with good monitoring, audit trails and management supervision

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.