Make sure the information security officer is operating independently and not part of ICT

The security officer needs to be able to function independently from operations for them to be able to execute their role properly.

Ideally, the security officer does not report directly to the IT director, but to the audit director, or even to the management committee.