IS.I.OR.240 Personnel requirements

(a)     The accountable manager of the organisation designated in accordance with the Regulation (EU) No 1321/2014, Regulation (EU) No 965/2012, Regulation (EU) No 1178/2011, Regulation (EU) 2015/340, Regulation (EU) 2017/373 or Regulation (EU) 2021/664 as applicable referred to in Article 2[LD1] (1) of this Regulation shall have corporate authority to ensure that all activities required by this Regulation can be financed and carried out. That person shall:

(1)     ensure that all necessary resources are available to comply with the requirements of this Regulation;

(2)     establish and promote the information security policy referred to in point IS.I.OR.200(a)(1);

(3)     demonstrate a basic understanding of this Regulation.

(b)     The accountable manager shall appoint a person or group of persons to ensure that the organisation complies with the requirements of this Regulation, and shall define the extent of their authority. That person or group of persons shall report directly to the accountable manager, and shall have the appropriate knowledge, background and experience to discharge their responsibilities. It shall be determined in the procedures who deputises for a particular person in the case of lengthy absence of that person.

(c)      The accountable manager shall appoint a person or group of persons with the responsibility to manage the compliance monitoring function referred to in point IS.I.OR.200(a)(12).

(d)     Where the organisation shares information security organisational structures, policies, processes and procedures with other organisations or with areas of their own organisation which are not part of the approval or declaration, the accountable manager may delegate its activities to a common responsible person.

In such a case, coordination measures shall be established between the accountable manager of the organisation and the common responsible person to ensure adequate integration of the information security management within the organisation.

(e)     The accountable manager or the common responsible person referred to in (d) shall have corporate authority to establish and maintain the organisational structures, policies, processes and procedures necessary to implement point IS.I.OR.200.

(f)      The organisation shall have a process in place to ensure that they have sufficient personnel on duty to carry out the activities covered by this Annex.

(g)     The organisation shall have a process in place to ensure that the personnel referred to in point (f) have the necessary competence to perform their tasks.

(h)     The organisation shall have a process in place to ensure that personnel acknowledge the responsibilities associated with the assigned roles and tasks.

(i)      The organisation shall ensure that the identity and trustworthiness of the personnel who have access to information systems and data subject to the requirements of this Regulation are appropriately established.