CISM: Chief Information Security Officer

From Glitchdata
Jump to navigation Jump to search
  • CISO should report to Chief Risk Officer
  • Conflicts of interest may occur if CISO reports to CIO.
  • An organisation that appoints a CISO acknowledges a commitment to legal responsibility for information security.
    • Appointing a chief information security officer (CISO) creates a clear line of responsibility for information security. The scope and breadth of information security today is such that the authority required and responsibility taken will inevitably end up with a senior manager, so not having a CISO does not prevent someone from being responsible, but it increases the potential for confusion over precisely who is responsible and may result in unrecognized liability. Accountability lies with the board of directors.


  • Develop an information security strategy
  • Negotiate local standards to align with international standards.
  • Enforcement of security policy