Suite 503, 5/F, St. George's Building, 2 Ice House Street, Central, Hong Kong
+852 2868 0696
Essential Guide: Appointing an In-House Head of Computer System Security
Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) sets tough standards for Critical Infrastructure Operators (CIOs) to protect their Critical Computer Systems (CCSs) from cyber risks. A key requirement? Appointing a dedicated in-house head to oversee computer system security. This can’t be outsourced—it must be an internal employee for full accountability.
While these guidelines are tailored to CIOs under Cap. 653, they also serve as best practices for employing any high-level management role, ensuring accountability, smooth transitions, and risk mitigation across organizations.
Based on Cap. 653, Code of Practice (v1.0), and insights from the Office of the Commissioner of Critical Infrastructure (Computer-system Security) (OCCICS) website and FAQs, here’s why this role matters and practical HR tips to handle it smoothly.
The Must-Have In-House Role: Why It Can’t Be Outsourced
CIOs need to set up a security management unit and appoint an employee to lead it (s.21(4); Code of Practice §5.3.2). This falls under Category 1 organizational duties.
- Purpose: To build strong security governance tailored to your CIO’s unique risks.
- In-House Requirement: The head must have “adequate professional knowledge” specific to your operations (OCCICS FAQ 6). Outsourcing of computer-system security management units is allowed but the head must be an employee appointed by the CIO (OCCICS FAQ 7).
- Accountability: While suppliers can help with other tasks (via contracts), core oversight stays internal.
- Risks of Non-Compliance: Fines up to HK$5 million for the organization (ss. 7, 26, 28 and 70)—but no personal penalties for individuals (OCCICS FAQ 24).
With potential designations looming as of January 16, 2026, prioritize this hire now to stay ahead.
HR Essentials: What to Focus On
Managing this role involves blending HR best practices with regulatory needs. Break it down into key areas:
1. Defining the Role and Finding the Right Fit
The head leads the security unit, handling everything from risk assessments to incident responses. This role is not just an IT function but spans cross-business units (BUs), integrating security with operations, finance, legal, and other areas to address enterprise-wide risks.
- Core Duties: Create and implement a security plan, including access controls, training, and supply chain checks (Code of Practice §§6.2.5–6.2.27). They co-endorse the plan with top executives and review it every two years or after changes.
- Qualifications Needed: Look for certifications like CISSP, CISM, or CISA, plus experience matching your CCS threats (Code of Practice §5.3.2).
HR Tip: Involve senior management in hiring to align with strategy—they must grasp its importance for compliance, co-endorsement (Code of Practice §6.2.1), and avoiding fines/risks across BUs (OCCICS FAQ 6). Highlight Ordinance and cross-BU aspects in job postings; verify credentials for OCCICS (Annex C of Code of Practice); onboard with team training (Code of Practice §6.2.27).
2. Handling Changes and Notifications
Any shift in this role counts as a “material change” that must be reported, including during employment termination to maintain continuity and avoid compliance gaps.
- What Triggers Notification: New hires, departures (such as resignations or terminations), or anything affecting security (s.22(1); Annex D of Code of Practice; OCCICS FAQ 8).
- How to Report: Use Annex C with details like name, qualifications, and start or end date (Code of Practice §5.3.3).
HR Tip: Include notification clauses in contracts; report to OCCICS immediately post-hire or termination. Require advance exit notice, successor planning, and handover to link with exit protocols and prevent disruptions.
3. Understanding Legal Risks for the Employee
The role is high-stakes, but liability is organizational.
- No Personal Fines: Penalties hit the CIO, not the individual (OCCICS FAQ 24).
- Internal Protections: Clear duties help avoid blame in disputes.
HR Tip: Add indemnity clauses (excluding wilful errors); link reviews to security goals for accountability, trust, and lower turnover.
4. Managing Exits: Termination, Garden Leave, and Handovers
Smooth transitions are crucial to maintain continuity (Category 1).
- Key Concerns: Sudden exits could disrupt operations and require immediate reporting.
- No Fixed Rules: But longer notice periods help with knowledge transfer.
HR Tip: Use 3–6 month notice periods for handovers (data/knowledge transfer, successor training); apply garden leave for secrecy (s.57, up to HK$1M fines); limit non-competes to sensitive data; ensure pay and audit support.
Wrapping Up: Make It a Smart Move
View this appointment as a boost to your cyber defenses, not just compliance. Keep detailed HR records—they can back due diligence defenses (ss.65–66).
For custom advice, reach out to Oldham Li & Nie. Aligning HR with Cap. 653 now strengthens your position in Hong Kong’s evolving critical infrastructure landscape.
Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.
Author(s)
Recent News
