Organizational roles, responsibilities & authorities for ISO 27001 Requirement 5.3
What is involved in ISO 27001 requirement 5.3?
Depending on the size and nature of your organisation you are likely to have a number of different roles and responsibilities that need to be set. When doing this it is important to ensure the authorisation levels are appropriate. It is also important that these roles are communicated to the organisation.
These roles will include:
- making sure the information security management system continues to conform to the requirements of the International Organisation for Standardisation
- ISMS performance reporting
Ensure the assignment of the necessary responsibilities and authorities to the right individuals within the organisation to carry out management system related activities. Aim to align this with their day job so it becomes a frequent and a habit based way of working.
You need to demonstrate that certain roles (not necessarily people) exist, have been appointed by top management and they are communicated to the relevant interested parties and documented clearly.
One person can do more than one role and you can unify the work e.g. by having a management board oversee everything to help meet 9.3 and join-up your system. Just make it clear who is responsible for what. Think about the roles with interested parties in mind as well as practical delivery. For example, the role of CISO (Chief Information Security Officer) could imply to your customers that you take information security seriously.
Choose the leadership role above as something like CISO – Chief Information Security Officer or SIRO – the Senior Information Risk Owner, or an equivalent that demonstrates leadership in this position and gives confidence to your internal and external stakeholders that you take information security seriously. This is crucial for ISO 27001 certification too. The role does not have to be a full-time role and can be associated with other duties.
You may also choose to have a TISO (Technical Information Security Officer), or equivalent, who would be more technical and able to focus on those aspects of the ISMS if the other roles are delivered by more commercial/strategic individuals. See Annex A 6.1.1 (about the organisation of information security) and ensure you align this requirement with that Annex A control.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001