FAQ n.139299

Does the organisation need to establish a separate representative for the information security management system (ISMS)?

Answer

This is an organisational decision depending on the necessary competencies that this person needs to have. The accountable manager may decide to delegate certain responsibilities to a person or group of persons, taking into account their competencies and the requirements detailed in point IS.I.OR.240 of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 and point IS.D.OR.240 of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645 as well as in the related acceptable means of compliance and guidance material (AMC & GM).

Last updated
22/08/2025

Was this helpful?