ISO27001 – Control 5.2 – Information Security Roles and Responsibilities

Control

Information security roles and responsibilities should be defined and allocated according to the organization needs.

What this means

The purpose of this control is to ensure there is a formal approved structure for managing, implementing, and operating the information security management system (ISMS).

When assigning security roles and responsibilities, an organisation should align responsibilities with the overarching information security policy and any other specific security policies. Common roles and responsibilities that should be covered include:

  • Protecting information assets and other associated assets
  • Carrying out specific security processes
  • Managing information security risk activities, especially related to accepting residual risks
  • Ensuring all personnel properly use organizational information and assets

For large or complex organisations, it may be helpful to define responsibilities at the departmental or site level in addition to the organisation-wide policy. While senior security roles can delegate tasks, accountability ultimately lies with the designated role.

Best practices related to this process include:

  • Documenting all security roles and responsibilities, along with authorisation levels, and communicating expectations
  • Selecting competent individuals for security roles and supporting ongoing education related to new developments that may impact their responsibilities
  • Including Information security responsibilities in job descriptions
  • Identifying responsible managers to oversee strategy and policy implementation
  • Making asset owners responsible for day-to-day protection of those assets

There should be no vagueness about security responsibilities across all levels of the organisation.

If you want to know about our template policies or ISO27001 implementation then book a free call here or email us here