System owners maintain and operate systems
All systems must have an owner.
All system owners need to ensure IT governance processes are followed and that business requirements are met.
System owners for large or critical systems should be part of your organisation’s senior executive team or hold an equivalent management position.
Your responsibilities as a system owner
As a system owner, you’re responsible for the overall operation and maintenance of a system, including any related support service or outsourced service, such as a cloud service.
You may delegate the day-to-day management and operation of the system to a system manager or managers.
Operating the system and maintaining accreditation
You must ensure the system you own is accredited to meet your organisation’s operational requirements. You are responsible for obtaining and maintaining accreditation.
If the system is modified, you need to ensure:
- the changes are done properly and documented
- that any necessary reaccreditation activities are completed.
Developing, maintaining, and implementing documentation
As a system owner, you must ensure that information security documentation for the system is developed, maintained, and implemented. Documentation for the system includes SRMPs, SecPlans, and SOPs.
You should involve security personnel in the documentation process to ensure a holistic approach to information security can be mapped to your understanding of security risks for your specific system.
You must ensure the documentation is complete, accurate, and up to date. You must also document the actions you take to develop, maintain, and implement the documentation.
You must involve your ITSM when you redevelop or update information security documentation.
For more information see the following chapters of the NZISM:
- System certification and accreditation (chapter 4)
- Information security documentation (chapter 5).
Page last modified: 4/05/2022