Organizational roles, responsibilities & authorities for ISO 27001 Requirement 5.3

What is involved in ISO 27001 requirement 5.3? 

Depending on the size and nature of your organisation you are likely to have a number of different roles and responsibilities that need to be set. When doing this it is important to ensure the authorisation levels are appropriate. It is also important that these roles are communicated to the organisation.

These roles will include:

• making sure the information security management system continues to conform to the requirements of the International Organisation for Standardisation
• ISMS performance reporting

Ensure the assignment of the necessary responsibilities and authorities to the right individuals within the organisation to carry out management system related activities. Aim to align this with their day job so it becomes a frequent and a habit based way of working.

You need to demonstrate that certain roles (not necessarily people) exist, have been appointed by top management and they are communicated to the relevant interested parties and documented clearly.

One person can do more than one role and you can unify the work e.g. by having a management board oversee everything to help meet 9.3 and join-up your system. Just make it clear who is responsible for what. Think about the roles with interested parties in mind as well as practical delivery. For example, the role of CISO (Chief Information Security Officer) could imply to your customers that you take information security seriously.

Choose the leadership role above as something like CISO – Chief Information Security Officer or SIRO – the Senior Information Risk Owner, or an equivalent that demonstrates leadership in this position and gives confidence to your internal and external stakeholders that you take information security seriously. This is crucial for ISO 27001 certification too. The role does not have to be a full-time role and can be associated with other duties.

You may also choose to have a TISO (Technical Information Security Officer), or equivalent, who would be more technical and able to focus on those aspects of the ISMS if the other roles are delivered by more commercial/strategic individuals. See Annex A 6.1.1 (about the organisation of information security) and ensure you align this requirement with that Annex A control.