FAQ n.142374

The implementation of Part-IS is not a binary process, but rather a continuous one with different implementation levels to be achieved. Organisations are expected to follow the PSOE (Present, Suitable, Operational, Effective) model and be under the 'Present' and 'Suitable' levels by the applicability date.

This is a notion familiar to the organisations applying already a safety management system (SMS). In short, the organisations need:

• to establish the fundamental elements of the information security management system (ISMS);
• to define the personnel roles and responsibilities as well as the scope; and
• to define a security policy, a risk management process as well as change management policies.

Moreover, procedures on incident management and reporting (internal) of events are expected to set the stage for formalising security management. Following this, the organisation should further proceed in terms of implementation levels, reaching the 'Operational' and 'Effective' levels.

More information on guidelines on the oversight approach by authorities.