Culture and Org. -> Education and Guidance: Each team has a security champion
Risk and Opportunity
Risk: No one feels directly responsible for security and the security champion does not have enough time to allocate to each team.
Opportunity: Each team defines an individual to be responsible for security. These individuals are often referred to as 'security champions'
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
Implementation hints: https://www.owasp.org/index.php/Security_Champions_Playbook
OWASP SAMM 1 Mapping: EG2-B
ISO27001:2017 Controls Mapping:
- security champions are missing in ISO 27001 most likely