Organization

The term security organization includes different functions, organizational units, roles, and responsibilities within the framework of an information security management system. Providing a company with security organization adapted to its needs is one of the main responsibilities of management and the board of directors. Translating the strategy into IS objectives and then into an action plan and controls is the responsibility of the chief information security officer (CISO). Although this evolution of the CISO's responsibilities is certainly encouraging, it is always accompanied by the necessary revision of underlying organizations. Security teams in such an organization report to the CISO or CSO, who occupies a real C-level outside of IT. The board of directors is the supreme body of corporate governance and as such, of IS governance. It is accountable for risks and actions taken to mitigate them, validates strategies, makes sure that resources are used responsibly, and is the privileged recipient of performance reports and audits.