Organizational roles, responsibilities & authorities for ISO 27001 Requirement 5.3

What is involved in ISO 27001 requirement 5.3? 

Depending on the size and nature of your organisation you are likely to have a number of different roles and responsibilities that need to be set. When doing this it is important to ensure the authorisation levels are appropriate. It is also important that these roles are communicated to the organisation.

These roles will include:

Ensure the assignment of the necessary responsibilities and authorities to the right individuals within the organisation to carry out management system related activities. Aim to align this with their day job so it becomes a frequent and a habit based way of working.

You need to demonstrate that certain roles (not necessarily people) exist, have been appointed by top management and they are communicated to the relevant interested parties and documented clearly.

One person can do more than one role and you can unify the work e.g. by having a management board oversee everything to help meet 9.3 and join-up your system. Just make it clear who is responsible for what. Think about the roles with interested parties in mind as well as practical delivery. For example, the role of CISO (Chief Information Security Officer) could imply to your customers that you take information security seriously.

Choose the leadership role above as something like CISO – Chief Information Security Officer or SIRO – the Senior Information Risk Owner, or an equivalent that demonstrates leadership in this position and gives confidence to your internal and external stakeholders that you take information security seriously. This is crucial for ISO 27001 certification too. The role does not have to be a full-time role and can be associated with other duties.

You may also choose to have a TISO (Technical Information Security Officer), or equivalent, who would be more technical and able to focus on those aspects of the ISMS if the other roles are delivered by more commercial/strategic individuals. See Annex A 6.1.1 (about the organisation of information security) and ensure you align this requirement with that Annex A control.

Ready to take action?

Discover how can help you achieve or improve on your ISMS objectives


Need ISO 27001 policies and controls for your ISMS? includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation. 



Ready to take action?

Discover how can help you achieve or improve on your ISMS objectives

ISMS Online Rating: 5 out of 5
Share This