Management must be involved in data protection and infosec. Here’s what the regulations say.
Everyone working with data protection and information security knows it: management plays a key role.
.webp)
Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.
Read more from the authorBut what do the actual regulations say? In this article, we explore the key frameworks – ISO 27001, NIS2 and the GDPR – and what they require from management.
{{factbox-dark}}
ISO 27001
To understand management’s role under ISO 27001, look to Clause 5.
Here, management is given three core responsibilities. They must:
- Demonstrate leadership commitment and be actively involved in setting up and supporting the ISMS – including allocating sufficient resources.
- Ensure there is an information security policy in place that is communicated and followed up on.
- Establish clear roles and responsibilities within the organisation.
NIS2
The NIS2 Directive makes it crystal clear: information security is the responsibility of top management.
According to the directive, leaders are required to:
- Approve the cybersecurity risk-management measures taken,
- Oversee it’s implementation,
- Follow cybersecurity training, and
- Encourage similar training for staff across the organisation.
Members of the governing body can even be held personally liable for failing to meet these obligations.
{{factbox-light}}
GDPR
The GDPR doesn’t explicitly state that management is responsible. But the regulation imposes a wide range of obligations on organisations, and it is naturally the leadership that carries the overarching accountability.
NIS2 Article 20
Management obligations are outlined in Article 20 of the NIS2 Directive, which states:
1.Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.
The application of this paragraph shall be without prejudice to national law as regards the liability rules applicable to public institutions, as well as the liability of public servants and elected or appointed officials.
2. Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
More articles on leadership responsibility and involvement
Cybersecurity requires top-level commitment – and it starts with knowledge.
What keeps your CEO up at night? And why it’s the key to effective risk management.
7 ways NIS2 demands management involvement – and how to get it.
Prepare your leadership for cyber accountability
With NIS2 and an evolving threat landscape, it’s essential that your executive team is ready to take ownership of cybersecurity. Our courses and workshops help boards and executive leaders understand risk, take strategic ownership, and strengthen their collaboration with information security teams.
