What are the Responsibilities and Duties of an Information Security Officer?

What are the Responsibilities and Duties of an Information Security Officer?
Page content

What is an Information Security Officer?

An information security officer (ISO) is a relatively new position that works with other department heads to make all data safe, secure, and available for those who need it. The officer also ensures that the company’s security system is in compliance with federal and state laws and regulations. This person has to make sure that standard industry practices, policies, and procedures are followed.

Typically the ISO has responsibility over all aspect of security for an organization. This person has to protect the organization from internal and external security threats.

What are the Duties and Responsibilities of an Information Security Officer?

  • Providing Management with Information Security Issues – Management must be kept up to date on the different threats and security vulnerabilities that the organization may have.

  • Providing Management with Information Security Risk Assessments – The ISO has to provide management with an assessment of those risks that are real to the organization. Flooding can be a security risk in New Orleans, Louisiana. But it wouldn’t be in Phoenix, Arizona. But both organizations would be concerned about physical break-ins or data loss or data theft.

  • Plan Information Security – The ISO must study the organization, its software, hardware, and Internet operations. It must study the organization in order to plan the right kind of solution, how much it will cost to implement, how many people will work on it, and how much time it will take to prepare it.

  • Develop Information Security Protocols and Procedures – In order to fully prepare an organization about its vulnerabilities, the ISO must outline what the vulnerabilities are, how to recognize them, and what to do if the vulnerability is breached. The ISO must set up procedures and protocols for each vulnerability that is recognized.

  • Create and Manage a Business Continuity and Disaster Recovery Plan – In the event of a disaster, how fast can the organization be back up and running? So how fast can the Information Technology department be back up and running Planning must take place to handle not only ordinary hardware or software failures, but also calamities.

  • Work with Other Departments on Information Security Issues – Security is not just the responsibility of one department, but everyone. In that vein, then the ISO should communicate with other departments and learn what data, hardware, and software are important to protect.

  • Managing the Information Security Protocols and Policies – The ISO must manage the security policy and show others what the policies are and the protocols that will be used in order to implement and enforce them.

  • Handl****e I****nformation Security Incidents – If an incident involving hardware, software, network intrusion, or Internet operations takes place, the ISO or his directives involved must address it and create a report afterwards to log the incident.

  • Review Information Security Problems – In the event that the current security protocols or policies are weak and ineffective or need to be revised, a review should be implemented and its recommendations instituted.

Information Security

All of these information security officer duties are designed to minimize the security threats that may be present or on the horizon. This position is a proactive one; planning, foresight, and good management skills are a requirement.


A recently discovered car bomb in New York City showed how frail security operations can be. The would be terrorist was able to elude police and was finally removed from an airplane he had boarded. The airlines had not updated the no-fly list from earlier in the day, and that was why he was able to get on board.

This incident shows that vigilance is not a remote operation. It must be practiced at all levels. The main duty of an information security officer is to create a series of policies to enhance security and furnish the protocols for everyone to follow, and then instruct others that security vigilance is their responsibility, too.