At our previous entry We inform you of the entry into force of Royal Decree 43/2021, by which all essential service companies and digital service providers must designate their Responsible for Information Security or CISO ( Chief Information Security Officer ).
Broadly speaking, this figure must be designated no later than April 27 of this year, and will be in charge of analyzing the state of cybersecurity of your company and presenting the relevant authorities Statement of Applicability , in addition to ensure compliance a posteriori (so it will not be a temporary figure, far from it).
On July 27, the deadline for submitting the Declaration of Applicability ends. As of this date, companies that do not comply with these obligations may be inspected and sanctioned.
The objective of this regulation is very clear: that essential companies achieve an adequate level of information security , considering that, being essential service companies such as energy, health, waste management or food, they must minimize their risks of suffering a cyber-incident that paralyzes their work activity.
Last week we talked to you in detail about the companies affected by RD 43/2021 . This week we want to explain the functions of the CISO or Head of Security.
Questions and answers about the Information Security Officer or CISO
What does a CISO or Security Manager do?
Its functions are contained in article 7 of RD 43/2021, which establishes:
- Act as a point of contact with the competent authority in matters of supervision of the security requirements of networks and information systems.
- Act as a specialized point of contact for the coordination of incident management with the reference CSIRT.
- The following functions will be developed under your responsibility, among others:
- Prepare and propose a Cybersecurity Plan to be approved by the company. This plan must include the technical and organizational measures necessary to manage the risks detected regarding the security of the networks and information systems available to the company.
Its purpose is to prevent and minimize the effects of cyber incidents that could affect the company and its services. For more information, see the Article 6 of RD 43/2021 .
- Supervise and develop the application of security policies, regulations and procedures derived from the organization, supervise their effectiveness and carry out periodic security controls.
- Prepare the document of Declaration of Applicability of security measures in accordance with the provisions of article 6.2.
- Act as a promoter and trainer for good practices in the organization in cybersecurity.
- Send to the competent authority, through the reference CSIRT and without undue delay, notifications of incidents that have disturbing effects on the provision of essential services.
- Receive, interpret and supervise the application of the instructions and guides issued by the competent authority, both for the usual operations and for the correction of the deficiencies observed.
- Collect, prepare and supply information or documentation to the competent authority or the reference CSIRT, at its request or on its own initiative.
As we explained on these lines, the figure of the CISO requires High capacities in information security and carries important responsibilities. The traditional profile of the “IT company” specializes and becomes much more complex. However, the Security Manager may rely on services provided by third parties (digital security companies and computer consulting) to fulfill their functions effectively and as required by law.
Edorteam, a valuable support for your CISO
Reinforce your company's cybersecurity with CISO Advisor Plan,contact us now!
Does the Safety Manager have to be a company employee?
Not necessarily, it can be a department, unit or collegiate body external to the company. However, a natural person must always be appointed as a representative and a substitute to assume his functions in cases of absence, vacancy or illness.
Due to the nature and complexity of its functions, we recommend that the CISO of your company be a technical professional with specialized knowledge in computer security , to be able to be hired specifically for this position or, in any case, promoted to this new position after receiving the complementary training that he may need.
The professional profile should have the following capabilities:
- Advanced computer skills , if possible with a university degree in Computer Engineering or similar.
- Specialized knowledge and experience in cybersecurity from the organizational, technical and legal points of view.
- Ability to participate in all matters relating to security, maintaining a communication real and effective with the direction of the company.
- Capacity of independence with respect to those responsible for the company’s networks and information systems.
Edorteam, as specialists in digital security with more than 25 years of experience, we will be a valuable support for your Security Manager helping him in his training and new functions.
Our IT department It will not only be in charge of analyzing the cybersecurity of your company and identifying possible threats, it will also propose software solutions to meet the standards required by regulations. All under the supervision of our legal department , made up of lawyers and data protection specialists to guarantee full legal compliance.