LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why is information security considered a management responsibility, and what does Swiss law say about it?

Information security is legally a management responsibility — Swiss corporate law (OR Art. 754) says responsibility cannot be fully delegated, even when tasks are outsourced.

Why it's management's job:

  • Lack of information security can disrupt or prevent business operations entirely
  • Protecting information is part of management's duty of care (Sorgfaltspflicht)
  • Responsibility cannot be delegated — you can delegate tasks, but not accountability

Swiss legal basis (OR Art. 754 Abs. 2): If someone delegates a task to another party, they remain liable for damages caused unless they can prove they exercised proper care in selecting, instructing, and supervising that party.

Without management support, nothing works because there are:

  • No resources (time and money)
  • No authority (power to enforce and implement)
  • No priority (security gets pushed aside)

Key principle: "Information security oversight is a C-level responsibility" — the board and executives bear ultimate accountability.

Go deeper:

From Quiz: ISM / ISM Intro & Repetition | Updated: Jul 05, 2026