Cyber and information security should be regarded as a critical issue in every organisation, so you should have in place a framework for its governance. Setting up, directing and monitoring this framework should be the responsibility of the board or business owner – depending on the size and nature of the organisation – supported by heads of operational business units and specialist departments.

This group should ensure that a cyber and information security strategy and assurance programme are in place and are the responsibility of someone in the business who is at board level or equivalent.

The framework should cover

  • Management of all cyber and information security activities.
  • Making sure activities are relevant to prevailing and potential risk and timetabled effectively.
  • Decisions on the most relevant investment decisions to the organisation.
  • Compliance with relevant prevailing legislation and best practice.
  • Establishing and cascading a culture of security and safety.
  • Measurement against objectives.

It is vital that the framework and strategy are reviewed and, where necessary, updated either periodically (at intervals to be determined in the framework) or as needs arise. This is to allow for changes in business model, company growth, working practices, mergers and acquisitions, technology updates / upgrades, globalisation and, of course, the evolving threat landscape.