IS.D.OR.240 Personnel requirements

• Regulation (EU) 2022/1645 found in: Information Security (No 2023/203 and 2022/1645) Part-IS (Jun 2024)

IS.D.OR.240 Personnel requirements Regulation (EU) 2022/1645 (a)     The accountable manager of the organisation or, in the case of design organisations, the head of the design organisation, designated in accordance with Regulation (EU) No 748/2012 and Regulation (EU) No 139/2014 as referred to in points 1(a) and (b) of [Article 2](#_DxCrossRefBm1193569456) of this Regulation, shall have corporate authority to ensure that all activities required by this Regulation can be financed and carried out. That person shall: (1)     ensure that all necessary resources are available to comply with the requirements of this Regulation; (2)     establish and promote the information security policy referred to in point [IS.D.OR.200](#_DxCrossRefBm1193569683)(a)(1); (3)     demonstrate a basic understanding of this Regulation. (b)     The accountable manager or, in the case of design organisations, the head of the design organisation, shall appoint a person or group of persons to ensure that the organisation is in compliance with the requirements of this Regulation, and shall define the extent of their authority. That person or group of persons shall report directly to the accountable manager or, in the case of design organisations, to the head of the design organisation, and shall have the appropriate knowledge, background and experience to discharge their responsibilities. It shall be determined in the procedures who deputises for a particular person in the case of lengthy absence of that person. (c)      The accountable manager or, in the case of design organisations, the head of the design organisation shall appoint a person or group of persons with the responsibility to manage the compliance monitoring function referred to in point [IS.D.OR.200](#_DxCrossRefBm1193569683)(a)(12). (d)     Where the organisation shares information security organisational structures, policies, processes and procedures, with other organisations or with areas of their own organisation which are not part of the approval or declaration, the accountable manager or, in the case of design organisations, the head of the design organisation, may delegate its activities to a common responsible person. In such a case, coordination measures shall be established between the accountable manager of the organisation or, in the case of design organisations, the head of the design organisation, and the common responsible person to ensure adequate integration of the information security management within the organisation. (e)     The accountable manager or the head of the design organisation, or the common responsible person referred to in point (d), shall have corporate authority to establish and maintain the organisational structures, policies, processes and procedures necessary to implement point [IS.D.OR.200](#_DxCrossRefBm1193569683). (f)      The organisation shall have a process in place to ensure that they have sufficient personnel on duty to carry out the activities covered by this Annex. (g)     The organisation shall have a process in place to ensure that the personnel referred to in point (f) have the necessary competence to perform their tasks. (h)     The organisation shall have a process in place to ensure that personnel acknowledge the responsibilities associated with the assigned roles and tasks. (i)      The organisation shall ensure that the identity and trustworthiness of the personnel who have access to information systems and data subject to the requirements of this Regulation are appropriately established.