Chief Information Security Officer

from Wikipedia, the free encyclopedia

A Chief Information Security Officer ( CISO ) describes the role of the person with overall responsibility for information security in an organization. In practice, the tasks vary depending on the needs of the company that advertises and fills this role, but they can also be derived from the relevant standards for information security.


For smaller organizations or for those responsible of subsections within a larger organization no longer necessary, the "Chief" and is the term Information Security Officer ( "ISO", not to be confused with the term for standards) or Information Security Officer , as well as information security officer ( ISB ) is used. The misleading term head of IT security is also used. IT security is only one aspect of information security .

The CISO usually takes on the following tasks:

  • Establishment of a management system for information security (ISMS - Information Security Management System)
  • Development of protection goals for company-critical values ​​(assets), their threats and their risks and the security goals derived from the IS strategy.
  • Implementation of risk assessments and business impact analyzes
  • Establishment and operation of an organizational unit for the implementation of the security goals derived from the IS strategy
  • Elaboration, adaptation of security guidelines and security guidelines
  • Auditing of the functional units on the status of the implementation and further development of the safety regulations
  • Create awareness among employees of information security through training and campaigns
  • Establishing guidelines, specifications and goals for information security
  • Implementation of training and awareness campaigns on information security
  • Ensuring compliance with data protection regulations
  • Portfolio management of security-relevant business processes
  • Continuous analysis and optimization of information security in the company
  • Coordination with and establishment of information security among the stakeholders and the group / company management

The CISO is usually not the chief information officer ( CIO ) subject to the reporting channel is often found directly to the Chief Executive Officer (CEO) instead, because the IT security is only a subset of the tasks of a CISO , and it comes to safety and risk management of all information values ​​(assets) of a company (e.g. also files / paper).

Ideally, the separation of functions takes place in such a way that the IT department or the head of IT security represent a kind of internal supplier, while the requirements side is represented by the (C) ISO - on behalf of the management. As part of an Information Security Management System (ISMS), the (C) ISO audits the IT delivery side if necessary and reports the results to the management. In smaller companies, but also in many larger companies without ISMS or with a low level of maturity with regard to information security, all these functions may be defined differently or less strictly separated.

The ISO / IEC 27000 series as well as the IT-Grundschutz are usually essential working principles for the CISO .

Web links