Organisational Roles, Responsibilities & Authorities for ISO 27001 Requirement 5.3
What is involved in ISO 27001 requirement 5.3?
This clause is all about top management ensuring that the roles, responsibilities and authorities are clear for the information security management system. This does not mean that the organisation needs to go and appoint several new staff or over engineer the resources involved – it’s an often misunderstood expectation that puts smaller organisations off from achieving the standard.
Quite simply ISO 27001 is looking for clarity and focus on the key parts of the ISMS – who is accountable overall, who is responsible for certain parts, all good and logical business practices. You need to demonstrate that certain roles (not necessarily people) exist, have been appointed by top management and they are communicated to the relevant interested parties and documented clearly so there is no ambiguity.
The requirement here is quite high level and it is easy to document, and also fits with other parts of the information security management system e.g. security risk owners in 6.1, info sec objective owners in 6.2 etc. ISMS.online also makes much of the ISMS ownership and engagement easy in practice with its collaborative team memberships, policy activity owners, risk, incident, improvement owners etc – all of which can flow down from the top management clarity that comes from within this clause 5.3.
So one individual can do more than one role and you can unify the work e.g. by having a management board oversee everything to help demonstrate management reviews in line with 9.3 and totally join up the information security management system. Just make it clear who is responsible for what. Think about the roles with interested parties in mind as well as practical delivery. For example the role of CISO (Chief Information Security Officer) could imply to your customers that you take information security seriously and that could be done by a senior executive in addition to their day job, or if in a larger organisation it might be a fulltime role in its own right.
You may also choose to have a TISO (Technical Information Security Officer), or equivalent, who would be more technical and able to focus on those aspects of the ISMS if the other roles are delivered by more commercial/strategic individuals. See Annex A 6.1.1 (about the organisation of information security) and ensure you align this requirement with that Annex A control.
ISO 27001 specifically looks for clarity in roles and responsibilities for:
- Making sure the information security conforms to the requirements of the International Organisation for Standardisation
- The reporting of performance of the ISMS (which is much easier when it is all in one place)
It might well be that a senior executive has the accountability for the ISMS as part of the leadership commitment to information security (5.1) but can of course delegate the running of it down to others in the organisation, or outsource to specialist parties like the virtual CISO, which many of the ISMS.online partners offer services around. Just remember to document it!
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement