SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
GV.RR: Roles, Responsibilities, and Authorities
Risk Management Roles and Responsibilities
GV.RR-02: Roles, responsibilities, and related powers concerning the management of cybersecurity risk are established, communicated, understood, and enforced.
  • 1. The organization for information security is defined, approved by the administrative and directive bodies, and made known to the relevant departments of the NIS entity, with roles and responsibilities established.
  • 2. An updated list of personnel within the organization mentioned in point 1, having specific roles and responsibilities, is maintained and made known to the relevant departments of the NIS entity.
  • 3. Within the information security organization mentioned in point 1, the contact point and at least one substitute, as determined according to Article 7, paragraph 6 of the NIS decree, are included.
  • 4. The roles and responsibilities mentioned in point 1 are reviewed and, if appropriate, periodically updated, at least every two years, as well as whenever significant incidents, organizational changes, or shifts in threat exposure and related risks occur.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Roles, responsibilities, and related powers concerning the management of cybersecurity risk are established, communicated, understood, and enforced.

Human Resource Practices
GV.RR-04: Cybersecurity is included in human resources practices.
  • 1. For at least the relevant information and network systems, personnel authorized to access them are identified after assessing experience, capability, and reliability and must provide appropriate assurance of full compliance with regulations on cybersecurity.
  • 2. System administrators of the information and network systems are identified after assessing experience, capability, and reliability and must provide appropriate assurance of full compliance with regulations on cybersecurity.
  • 3. In accordance with the policies of measure GV.PO-01, procedures related to points 1 and 2 are adopted and documented.
  • 4. In agreement with the risk assessment results from measure ID.RA-05, any contractual obligations regarding cybersecurity that remain valid after the termination or modification of employment for NIS employees are defined (e.g., including confidentiality clauses).
  • 5. In accordance with the policies of measure GV.PO-01, procedures related to point 4 are adopted and documented.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Cybersecurity is included in human resources practices.