+91 - 2249440784
Submit RFP
COVID-19 SOLUTIONS

Blog

  1. Home
  2. Advices
  3. CISO - Roles & Responsibilities

CISO – Roles & Responsibilities

by in Advices, Consulting

Quick look at the various key responsible areas of a Chief Information Security Officer

Area 1 – Compliance

  • Develop the list of interested parties related to information security
  • Develop the list of requirements from interested parties
  • Remain in continuous contact with authorities and special interest groups
  • Coordinate all efforts related to personal data protection

Area 2 – Documentation

  • Propose the draft of main information security documents – e.g.Information security policy, Classification policy, Access control policy, Acceptable use of assets, Risk assessment and risk treatment methodology, Statement of Applicability, Risk treatment plan, etc.
  • Be responsible for reviewing and updating main documents

Area 3 – Risk management

  • Teach employees how to perform risk assessment
  • Coordinate the whole process of risk assessment (see also: ISO 27001 risk assessment & treatment – 6 basic steps)
  • Propose the selection of safeguards
  • Propose the deadlines for safeguards implementation

Area 4 – Human resources management

  • Perform background verification checks of job candidates
  • Prepare the training and awareness plan for information security (see also How to perform training & awareness for ISO 27001 and ISO 22301)
  • Perform continuous activities related to awareness raising
  • Performing induction training on security topics for new employees
  • Propose disciplinary actions against employees who performed the security breach

Area 5 – Relationship with top management

  • Communicate the benefits of information security
  • Propose information security objectives
  • Report on the results of measuring
  • Propose security improvements and corrective actions
  • Propose budget and other required resources for protecting the information
  • Report important requirements of interested parties
  • Notify top management about the main risks
  • Report about the implementation of safeguards
  • Advise top executives on all security matters

Area 6 – Improvements

  • Ensure that all corrective actions are performed
  • Verify if the corrective actions have eliminated the cause of non-conformities

Area 7 – Asset management

  • Maintain an inventory of all important information assets
  • Delete the records that are not needed any more
  • Dispose of media and equipment no longer in use, in a secure way

Area 8 – Third parties

  • Perform risk assessment for activities to be outsourced
  • Perform background check for candidates for outsourcing partners
  • Define security clauses that must be part of an agreement

Area 9 – Communication

  • Define which type of communication channels are acceptable and which are not
  • Prepare communication equipment to be used in case of an emergency / disaster

Area 10 – Incident management

  • Receive information about security incidents
  • Coordinate response to security incidents
  • Prepare evidence for legal action following an incident
  • Analyze incidents in order to prevent their recurrence

Area 11 – Business continuity

  • Coordinate the business impact analysis process and the creation of response plans
  • Coordinate exercising and testing
  • Perform post-incident review of the recovery plans

Area 12 – Technical

  • Approve appropriate methods for the protection of mobile devices, computer networks and other communication channels
  • Propose authentication methods, password policy, encryption methods, etc.
  • Propose rules for secure teleworking
  • Define required security features of Internet services
  • Define principles for secure development of information systems
  • Review logs of user activities in order to recognize suspicious behavior
Stay Updated