Chapter 2–1 Establishing an Information Security Organization

Draft a security organization charter and define its scope

After impressing the company with your risk posture assessment and action plan during the interview, you have been hired to establish a new information security organization. What should your first moves be?

Draft a Security Organization Charter and Define its Scope

The Security Organization Charter:

Security organizations should follow international security standards (e.g., ISO 27001 and the NIST framework) to prioritize security risks and manage them according to the company’s risk appetite through coordinated personnel, processes, and technology.

Effective security management is the cornerstone of sustainable security.

When addressing issues, consider risk treatment strategies, clearly identify which issues should be fixed first and why some can be deferred, and ensure that resources are allocated to mitigating the most critical risks.

Risk Treatment: It is not necessary to remediate all risks. The organization can accept risks, transfer them (e.g., by purchasing cyber insurance), avoid them (such as by avoiding certain business areas), or remediate risks to an acceptable level.

The Security Organization Scope:

Does this sound familiar? Based on the risk assessment, you want to take some initiatives to enhance the company’s disaster recovery and business continuity planning, but you are accused of overstepping into the domain of the company’s IT department.

I always emphasize that my security organization covers all areas related to international security standards, including the following 33 domains that most security standards cover.

Figure 2. 33 Critical Domains in Secure Controls Framework. Reprinted from Secure Controls Framework. (2024). Overview of the SCF. Secure Controls Framework,https://securecontrolsframework.com/.