Is it necessary to appoint an Information Security Manager to implement and run an ISMS?
Yes, in practice an ISMS needs a nominated Information Security Manager (ISM), Chief Information Security Officer (CISO) or similar leader to plan, implement, run and maintain it, although the ISO27k standards don’t exactly say it that clearly. A very rough rule-of-thumb suggests that around 1% of an organization’s total employees should work in information security (a greater proportion in any organization for which information security is a critical business issue). Small organizations may not have a dedicated ISM but may assign the corresponding responsibilities to the IT Manager or someone else as a part-time duty. Organizations of all sizes are encouraged to utilize independent experts (consultants, contractors, auditors, or even managed service providers specializing in compliance, communications, collaboration and continuity) as necessary, both for the additional pairs of hands and more importantly their brains, expertise and experience.
Related Questions
- Why do I receive an error stating that I do not have necessary privileges to start the Security Manager client from the read-only policy query window?
- Is it always necessary to configure the Security Manager user account in the CS-MARS database to perform events lookup?
- What SQL Server security permissions are necessary to backup with SQL Backup Manager?
