The Security Team as a Key Element of the ISMS Implementation and Certification Process

Abstract:

The aim of the article is to present the views that have been formulated on the process of structuring the information security team and to discuss the most important results and trends of research in this topic. The article consists of three parts. The first part of the article describes how to create and then define the structure and functions of the security team, using input from Information Security Directors (CISO), policies, frameworks, maturity models, standards, codes of conduct and conclusions learned from serious cybersecurity incidents. In addition, this section presents the results of mapping basic safety functions to specific departments or business units. In the second part of the article, using the results of mapping and analysis described in the first part, three models of the organizational structure of the Security Team were developed for a small, medium and large company. These models are characterized by different subsets of the identified functions, support departments, sub-functions and activities. Each model can be tailored to the unique needs of the organization and can be justified on the basis of its size, revenues and number of employees.