Management Duties per §38 BSIG
Legal Obligations
§38(1) -- Approval and Supervision
Management is personally obligated:
| Duty | Description | Evidence |
|---|---|---|
| Approval | Formal approval of all risk management measures per §30 | Signed approval document |
| Supervision | Ongoing control of proper implementation | Regular security reports, KPI reviews |
§38(2) -- Personal Liability
- Management is personally liable for damages resulting from breach of their duties under paragraph 1
- Waiver agreements are void
- Settlements on compensation claims are void
- Compensation claims of the entity against management cannot be excluded
§38(3) -- Training Obligation
- Management must regularly participate in training
- Purpose: Sufficient knowledge for identifying and assessing risks
- Content: Risk management practices and their impact on the entity's services
Implementation at BAUER GROUP
Approval Process
| Step | Description | Documentation |
|---|---|---|
| 1. ISO prepares measure proposal | Based on risk analysis and §30 requirements | Measure plan |
| 2. Presentation to management | Explanation of risks and proposed measures | Presentation materials |
| 3. Discussion and adjustment | Management may request changes | Meeting minutes |
| 4. Formal approval | Management signature | Approval document with date and signature |
| 5. Implementation mandate | Resource allocation and responsibility assignment | Documented mandate |
Supervision Mechanisms
| Mechanism | Interval | Format |
|---|---|---|
| KPI dashboard | Monthly | Digital report |
| Quarterly management report | Quarterly | Presentation + discussion |
| Annual security report | Annually | Written report with action plan |
| Event-driven escalation | On High/Critical level | Immediate notification |
Training Evidence
| Aspect | Implementation |
|---|---|
| Frequency | At least annually |
| Format | In-person training or qualified webinar |
| Trainer | ISO or external cybersecurity expert |
| Evidence | Attendance confirmation with date, content, duration |
| Archival | Minimum 3 years |
Liability Minimization
To minimize the personal liability risk of management:
| Measure | Description |
|---|---|
| Documented approval | Approve and archive every measure in writing |
| Regular reports | Demonstrable supervision through acknowledgment and discussion of reports |
| Documented training | Retain attendance records |
| Adequate resources | Allocate budget and personnel for information security |
| Timely response | Take prompt action when risks become known |