LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What does the Kantonsspital Aarau example show about placing information security in an organization?

Information security positioned as a staff function at the CTO level — alongside Legal & Compliance and IT architecture, above IT operations.

In the hospital's IT organization chart:

  • The CTO sits on top
  • Attached at staff level: IT Architektur, Info-Sicherheit, Legal & Compliance, and a Digital Office (coordinating digitalization PPM and IT innovation management)
  • Below: Leiter Informatik (IT operations: service management, application management, project management, projects & investments) and Leiter Medizintechnik (medical technology)

What to notice:

  • Security sits above operational IT, not inside it — it can set requirements for both IT and medical technology without being subordinate to the units it oversees
  • Placement next to Legal & Compliance reflects how intertwined security is with regulatory duties (patient data!)
  • This is the Stab-Linien pattern in practice: advisory + directive competence near the top, execution in the line

Tip: "Who does the CISO report to?" is a standard audit question — reporting into IT operations is a red flag (conflict of interest: the controller reports to the controlled).

Go deeper:

From Quiz: ISM / Organisationsformen & Entscheidungswege | Updated: Jul 05, 2026