Information security officer
The information security officer (ISO) is the central role that steers, coordinates and is accountable for an organisation's information security management system to the management board.
The information security officer, in German Informationssicherheitsbeauftragter (ISB) and often referred to as the Chief Information Security Officer (CISO), is the organisationally anchored role responsible for planning, steering and monitoring an organisation's information security management system (ISMS). The officer advises the management board on all matters of information security, coordinates the implementation of security measures and ensures that protection objectives such as confidentiality, integrity and availability of information are adequately maintained. The role thus acts as an interface between the management level, the business units and IT operations.
The core duties of the information security officer include developing and maintaining the security policies and the overarching security guideline, steering the risk management process including protection needs assessment and risk treatment, coordinating incident response and business continuity management, and promoting security awareness across the company. The officer monitors the effectiveness of the measures taken, reports regularly to the management board and contributes to internal and external audits. Recognised frameworks such as the BSI IT-Grundschutz and ISO/IEC 27001 explicitly provide for the appointment of such an officer and describe the corresponding profile of responsibilities.
With the NIS2 Directive and its national transposition, the role gains further importance, even though the law does not necessarily tie the function to the title "ISO". What is decisive is that the management board of essential and important entities bears responsibility for risk management and cannot fully delegate it; the information security officer supports the board in fulfilling these management obligations. The independence of the role is important: the officer should report directly to top management and must not enter into conflicts of interest, for example through simultaneous operational responsibility for the IT operations whose security they are meant to assess.
Legal Basis
BSI IT-Grundschutz (BSI Standard 200-2); ISO/IEC 27001; NIS2 Directive (EU) 2022/2555 in conjunction with the national transposition act
Practical Example
A mid-sized plant engineering company falls under the NIS2 obligations and appoints an information security officer for the first time. The officer begins by carrying out a protection needs assessment for the most important business processes, derives concrete measures together with the business units and introduces a binding security policy. They establish an incident response process including reporting channels, train the workforce to recognise phishing and present the management board with a quarterly security report covering open risks and the status of measures.