{"id":1323,"date":"2026-03-23T14:29:21","date_gmt":"2026-03-23T14:29:21","guid":{"rendered":"https:\/\/nimbis.si\/?p=1323"},"modified":"2026-03-23T14:34:37","modified_gmt":"2026-03-23T14:34:37","slug":"kdo-je-odgovarja-za-varnosti-v-vasi-organizaciji-zavezanost-vodstva-temelj-in-zinfv-1","status":"publish","type":"post","link":"https:\/\/nimbis.si\/en\/2026\/03\/23\/kdo-je-odgovarja-za-varnosti-v-vasi-organizaciji-zavezanost-vodstva-temelj-in-zinfv-1\/","title":{"rendered":"Who Owns Security in Your Organisation? Leadership Commitment and ZInfV-1"},"content":{"rendered":"<p>When an information security programme fails \u2014 when a breach goes undetected for months, when an incident notification deadline is missed, when a certification audit exposes gaps that should have been closed years ago \u2014 the root cause is almost never a technical one. The firewall was probably adequate. The policy probably existed. The problem was that nobody with real authority ever made security a genuine priority.<\/p>\n\n\n\n<p>ISO 27001 Clause 5 addresses this directly. Leadership is not a supporting condition for a working security programme \u2014 it is the prerequisite. And under ZInfV-1, it is also a legal obligation with personal consequences.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. A governance obligation, not an IT delegation<\/h2>\n\n\n\n<p>ZInfV-1 Article 23 \u2014 implementing NIS2 Article 20 \u2014 places explicit, non-delegable obligations on management bodies of essential and important entities. Boards and senior executives must personally approve cybersecurity risk management measures, oversee their implementation, and bear responsibility for infringements. Management body members may be required to undergo security training.<\/p>\n\n\n\n<p>This is a meaningful shift. Under the previous regulatory regime, governance failures were primarily organisational liabilities. Under ZInfV-1 they are personal ones. A board that signs off on a security report without genuinely engaging with its contents is not just overseeing a gap \u2014 it is exposed.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>ACCOUNTABILITY TEST<\/strong><br>When a regulator examines your organisation, they will not only ask whether controls exist. They will ask who approved them, who is monitoring them, and what evidence exists of active board-level oversight. 'We delegated it to IT' is not a defensible answer under ZInfV-1.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">2. What ISO 27001 requires from leadership \u2014 specifically<\/h2>\n\n\n\n<p>ISO 27001 Clause 5.1 uses the word 'demonstrate' deliberately. Leadership must show evidence of active engagement across seven areas:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Leadership must demonstrate<\/strong><\/td><\/tr><tr><td>Security policy and objectives aligned with strategic direction<\/td><\/tr><tr><td>ISMS requirements are integrated into organisational processes<\/td><\/tr><tr><td>Resources for the ISMS are available<\/td><\/tr><tr><td>Importance of security is actively communicated<\/td><\/tr><tr><td>ISMS achieves its intended outcomes<\/td><\/tr><tr><td>Continual improvement is promoted<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>None of this requires a dedicated board sub-committee or a large security team. It requires that security has a named, resourced owner with access to leadership \u2014 and that leadership takes the reporting seriously enough to act on it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. The security policy: governance instrument or compliance liability?<\/h2>\n\n\n\n<p>The information security policy is the most visible signal of whether leadership commitment is real. Most organisations have one. Fewer have one that does anything useful.<\/p>\n\n\n\n<p>A policy that was drafted by IT, signed once, and has never been reviewed against ZInfV-1 obligations or the current threat landscape is not a governance instrument. It is a liability document \u2014 one that creates the impression of compliance while providing no operational substance and no regulatory protection.<\/p>\n\n\n\n<p>A functioning policy is approved by the most senior appropriate leader (not IT, not legal \u2014 leadership), references the specific regulatory framework including ZInfV-1, commits to proportionate and improving security measures, and is reviewed at minimum annually. It is the document a regulator would ask to see first \u2014 and the one most organisations are least prepared to produce.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>QUICK DIAGNOSTIC<\/strong><br>Pull out your current security policy. Ask three questions: Does it name ZInfV-1 or NIS2 specifically? Was it approved by a board member or C-level executive? Has it been reviewed in the last 12 months? If the answer to any of these is no, you have a governance gap that a regulator will find before you do.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">4. The accountability gap most organisations don't see<\/h2>\n\n\n\n<p>The most common failure in security governance is not a lack of security staff. It is the assumption that hiring a CISO or security manager resolves the accountability question. It does not.<\/p>\n\n\n\n<p>A security manager without board-level access, budget authority, or the ability to escalate concerns into strategic decisions cannot fulfil what ISO 27001 and ZInfV-1 require of leadership. The accountability sits above them. When the security manager escalates a critical risk and nothing happens, that is a leadership failure \u2014 and under ZInfV-1, it is a documented one.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. A leadership gap is ZInfV-1 exposure<\/h2>\n\n\n\n<p>Organisations that struggle with ZInfV-1 compliance are rarely those without the technical capability to implement security. They are those where leadership has not yet understood \u2014 or accepted \u2014 that security is their responsibility, not their security team's.<\/p>\n\n\n\n<p>The regulator will look for evidence of genuine oversight: documented board approvals, a security policy with current management sign-off, quarterly review records, and a ISMS owner with real authority. If these do not exist, the technical controls underneath them \u2014 however well designed \u2014 will not create a defensible compliance position.<\/p>\n\n\n\n<p>Building genuine leadership engagement into a security programme is not straightforward, particularly in organisations where security has historically been an IT matter. It requires a structured approach, clear communication of personal obligations, and experienced external support that can translate regulatory requirements into board-ready language.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>IS YOUR BOARD GENUINELY ENGAGED \u2014 OR JUST SIGNED OFF?<\/strong><br>IS YOUR BOARD GENUINELY ENGAGED \u2014 OR JUST SIGNED OFF?\nThere is a material difference between a board that has approved a security policy and a board that understands and oversees the security programme it governs. Our free Information Security Maturity Assessment covers governance and leadership as one of its five domains, giving you an immediate, honest read on where your organisation stands. Ten minutes. No obligation. And if the results raise questions you want to work through with us \u2014 we offer a free 30-minute consultation.<\/p>\n<\/blockquote>\n\n\n\n<p>Series continues \u2014 next week: Planning (ISO 27001, Clause 6)<\/p>","protected":false},"excerpt":{"rendered":"<p>Ko informacijski varnostni sistem odpove \u2014 ko vdor ostane neodkrit ve\u010d mesecev, ko prete\u010de rok za priglasitev incidenta, ko revizija razkrije vrzeli, ki bi jih bilo treba odpraviti \u017ee leta prej \u2014 vzrok skoraj nikoli ni tehni\u010den. Po\u017earni zid je verjetno ustrezen. Tudi politika je obstajala. Problem je, da ni nih\u010de z avtoriteto varnosti postavil [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1325,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1323","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nekategorizirano"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts\/1323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/comments?post=1323"}],"version-history":[{"count":2,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts\/1323\/revisions"}],"predecessor-version":[{"id":1326,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/posts\/1323\/revisions\/1326"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/media\/1325"}],"wp:attachment":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/media?parent=1323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/categories?post=1323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/tags?post=1323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}