Example: Information Security Governance Model (Inspired by ISO 27001/NIS2)

Learn more:

• What is governance?
• What is a governance model (and what should it include)?

1. Roles and Responsibilities

Executive Management
Approves policies and NIS2-related security measures, allocates resources and priorities, and monitors implementation through quarterly reporting.

Chief Information Security Officer (CISO)
Maintains the Information Security Management System (ISMS) and the Statement of Applicability (SoA). Reports to executive management every six months with a focus on the risk landscape and security incidents. Also responsible for security awareness training.

IT Department
Implements technical controls such as access management, logging, and patching.

System Owners
Responsible for managing risk in the systems under their ownership.

All Employees
Expected to be familiar with and follow security policies and participate in awareness training.

2. Organisation and Decision-Making

The Information Security Forum meets every two months. The CISO organises and chairs the meeting. Participants include the CISO, IT, HR, and DPO. Executive management may be invited when necessary.

Risk assessments are approved by the CISO in collaboration with system owners. Yellow and green risks are accepted by the CISO; red risks require executive approval.

Security incidents are managed according to a contingency plan approved by executive management.

3. Policies and Documentation

All policies and documentation are maintained in Wired Relations and include:

• ISMS
• SoA
• Information Security Policy
• System and supplier register

The contingency plan is printed and available with responsible individuals.

The staff awareness programme follows a schedule approved by management and is documented continuously.

4. Monitoring and Follow-Up

• Annual review of risk assessments and controls
• Contingency plan is tested annually
• Annual management review

‍