An organisation holds multiple approvals or declarations. Can the different accountable managers delegate the activities under Part-IS to a single person?
Yes, when the organisation shares information security organisational structures, policies, processes and procedures with other organisations or with areas of their own organisation that are not part of the approval or declaration, the accountable manager may delegate their activities to a common responsible person.
Coordination measures shall be established between the accountable manager, or accountable managers for those entities holding multiple approvals, and the common responsible person to ensure adequate integration of the information security management within the organisation(s).
Does the organisation need to establish a separate representative for the information security management system (ISMS)?
This is an organisational decision depending on the necessary competencies that this person needs to have. The accountable manager may decide to delegate certain responsibilities to a person or group of persons, taking into account their competencies and the requirements detailed in point IS.I.OR.240 of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 and point IS.D.OR.240 of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645 as well as in the related acceptable means of compliance and guidance material (AMC & GM).
Should an organisation have one single information security policy even if there are different organisation approvals (OAs) under its umbrella?
An organisation is free to choose to have a single information security policy covering all OAs or a different information security policy per OA.