Information Security Officer (ISO)

Information Security Officer (ISO)

Circular 10/2017 (BA) – Supervisory Requirements for IT in Financial Institutions (BAIT)

4.4. The management board shall establish an information security officer function. This function is responsible for all information security issues within the institution and with regard to third parties. It ensures that information security objectives and measures defined in the institution’s IT strategy, information security policy and information security guidelines are transparent both within the institution and for third parties, and that compliance with them is reviewed and monitored regularly and on an event-driven basis.

The information security officer function has in particular the following tasks:

– supporting the management board when defining and changing the information security policy and advising on all issues of information security; this includes helping to resolve conflicting goals (e.g. economic aspects versus information security);

– preparing information security policies and, where appropriate, any other relevant regulations as well as checking compliance;

– managing and coordinating the institution’s information security process as well as monitoring the involvement of IT service providers and assisting in any related tasks;

– supporting the preparation and updating of the contingency plan with regard to information security issues;

– initiating and monitoring the implementation of information security measures;

– monitoring and working to ensure compliance with information security in projects and procurement;

– acting as a contact for any questions relating to information security coming from within the institution or from third parties;

– examining information security incidents and reporting these to the management board;

– initiating and coordinating measures to raise awareness of and training sessions on information security.

The information security officer may be supported by an information security management team.

4.5. In terms of organisation and processes, the information security officer function shall be independent to avoid any potential conflicts of interest.

The following measures, in particular, are applied to avoid any potential conflicts of interest:

– a description of the function and duties of the information security officer, his/her deputy and if necessary other organisational units;

– determination of resources required by the information security officer function;

– a designated budget for information security training sessions within the institution and for the personal training of the information security officer and his/her deputy;

– information security officer is able to report directly and at any time to the management board;

– all employees of the institution as well as IT service providers are required to report immediately and comprehensively any incidents relevant to information security that concern the institution to the information security officer;

– the information security officer function shall be independent of those areas that are responsible for the operation and further development of IT systems;

– the information security officer may on no account be involved in internal audit activities.

4.6. As a rule, each institution shall have its own information security officer function in-house.

In the case of regionally active institutions (in particular those that belong to an association) as well as small institutions (in particular those that belong to a group) that do not have material, internally run IT operations but do have a similar business model and shared IT service providers for bank-specific processes it is permissible, with regard to the regular (association-wide or group-wide) control mechanisms available, for multiple institutions to appoint a joint information security officer as long as contractual conditions are in place to ensure that this joint information security officer can fulfil the relevant tasks for all the institutions in question at all times. However, in such cases, each institution shall name a competent contact person for the information security officer.

As a rule, institutions may combine the information security officer function with other internal functions.

This is without prejudice to an institution’s option of obtaining external support by means of a service contract.