Leadership and commitment at company management level
The company’s management takes active responsibility for IT security and responsible data use. However, it is not necessarily the management, who is executing.
- 1.1 Roles and responsibilities in relation to IT security and responsible use of data- The company should ensure that at least one named person assumes the responsibility for its IT security and responsible use of data. - 1.1.1 Assign responsibility and authority to handle IT security and responsible use of data 
- 1.2 Overview of data and systems- The company should have an up-to-date written summary of the data and selected assets that enable it to run its business and exercise control according to: 
 – the relative importance to the company
 – the company’s data subjects
 – the company’s risk level- 1.2.1 Overview of personal data 
 1.2.2 Overview of business-critical data
 1.2.3 Overview of IT systems, services, network components, devices, software and activity-based algorithms/AI use-cases
- 1.3 Risk management- The company should have a policy for IT security approved by management, which is communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities. - 1.4.1 Policy for IT security 
- 1.4 Policy for IT security- The company should have a policy for IT security approved by management, which is communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities. - 1.4.1 Policy for IT security 
- 1.5 IT contingency plan- The company should have an IT contingency plan to handle incidents. - 1.5.1 IT contingency plan 
- 1.6 Policies for responsible use of data- The company should have a policy for handling personal data and a policy for data ethics, approved by management. These policies should be communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities. - 1.6.1 Policy for processing personal data 
 1.6.2 Policy for data ethics
- 1.7 Development lifecycle- The company should have a development lifecycle to ensure that functional and non-functional requirements (including requirements from D-seal) are specified and implemented. Tests should then be performed to determine whether they have been implemented effectively and whether they are being maintained. D-seal lays down a number of requirements to be incorporated into the development lifecycle in criteria 6 (Privacy & Security by Design & Default) and 7 (Trustworthy algorithms and AI). - 1.7.1 Requirements for the development lifecycle