The company’s management takes active responsibility for IT security and responsible data use. However, it is not necessarily the management, who is executing.
1.1 Roles and responsibilities in relation to IT security and responsible use of data
The company should ensure that at least one named person assumes the responsibility for its IT security and responsible use of data.
1.1.1 Assign responsibility and authority to handle IT security and responsible use of data
1.2 Overview of data and systems
The company should have an up-to-date written summary of the data and selected assets that enable it to run its business and exercise control according to:
– the relative importance to the company
– the company’s data subjects
– the company’s risk level
1.2.1 Overview of personal data
1.2.2 Overview of business-critical data
1.2.3 Overview of IT systems, services, network components, devices, software and activity-based algorithms/AI use-cases
1.3 Risk management
The company should produce risk assessments and ensure that risks are handed and reported as necessary.
1.3.1 Risk assessment
1.4 Policy for IT security
The company should have a policy for IT security approved by management, which is communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities.
1.4.1 Policy for IT security
1.5 IT contingency plan
The company should have an IT contingency plan to handle incidents.
1.5.1 IT contingency plan
1.6 Policies for responsible use of data
The company should have a policy for handling personal data and a policy for data ethics, approved by management. These policies should be communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities.
1.6.1 Policy for processing personal data
1.6.2 Policy for data ethics
1.7 Development lifecycle
The company should have a development lifecycle to ensure that functional and non-functional requirements (including requirements from D-seal) are specified and implemented. Tests should then be performed to determine whether they have been implemented effectively and whether they are being maintained. D-seal lays down a number of requirements to be incorporated into the development lifecycle in criteria 6 (Privacy & Security by Design & Default) and 7 (Trustworthy algorithms and AI).
1.7.1 Requirements for the development lifecycle