We use cookies to further personalise and enhance the user experience, conduct analytical research (for example, counting visits and traffic sources), place advertisements and contact third parties. Users can manage their cookie settings by clicking the "Choose your preferences" link.

Cookie policy
  • Security in Schibsted
  • expand_more

Security Governance within Schibsted

Schibsted has an Information Security Management System (ISMS) based on ISO27001. The central Schibsted Security Team coordinates information security governance within Schibsted in cooperation with all parts of the organization. 

The purpose of the ISMS is to preserve confidentiality, integrity, and availability of information following Schibsted’s Security Policy. The main drivers for security are: 

  • Ensuring that the business strategies and objectives are not jeopardized due to security risks 
  • Ensuring that laws and regulatory requirements comply with (legal compliance) 
  • Ensuring that customers’ expectations and business agreements are met 
  • Protection of shareholders’ value, and the company’s assets and investments

The ISMS is continuously maintained, evaluated and enhanced following identified needs. The overall ISMS objectives are:

  • Security risks are being adequately addressed and maintained
  • Compliance with internal and external security requirements
  • Sufficient security awareness throughout the organization 
  • Group Security Policy and Instructions current and aligned with relevant strategies

Security Governance Roles and Responsibilities

Schibsted Companies: Owns the responsibility of implementing required security controls, policies, and guidelines with the appropriate assignment of the resources to ensure active management of security to protect data and privacy.

Chief Information Security Officer (CISO): Responsible for managing Security Governance Framework across business operations, defining necessary security management requirements, coordinating strategic objectives with business owners, and ensuring fulfilment. For majority-owned companies, key processes shall be identified and in place. The security governance framework embraces all security areas in Schibsted. 

Chief Information Officer: Is responsible for implementing Security Governance into the corporate IT environment delivered across Schibsted in collaboration with business entities, setting technical security controls and security performance reporting.

Information or Data Owner: Is responsible for who has access to information assets within their functional areas. An Information or Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege and the separation of duties.

Systems Owners: The Information System Owner (also referred to as Systems Owner) is the individual responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of an information system.

Service Owners: A service can consist of several different systems. The Service Owner is responsible for delivering a particular service within the agreed service levels. But also be in contact with several systems owners and handle OLA (operational-level agreements).

Legal, Privacy, and Compliance: Responsible for providing legal and privacy guidance and instruction to support the establishment and maintenance of effective security governance across Schibsted business entities.

HR: Responsible for ensuring compliance with security policy, directives, and guidelines, supporting security awareness training and compliance by managers, employees, and contractors.

Employees, Managers & Contractors: Company staff are the most vital component in protecting the use of company data and information. They are responsible for using company assets, data, and information security and for supporting the overall objectives of Security Governance.

Suppliers: Shall comply with Schibsted Security Governance and Supplier Code of Conduct, specific to contracted services, with appropriate security controls and processes, including security reporting if applicable.