ISO 27002:2022, Control 5.2 – Information Security Roles and Responsibilities

ISO 27002:2022 Revised Controls

Book a demo

diverse,international,executive,business,people,working,on,project,at,boardroom

What is Control 5.2: Information Security Roles and Responsibilities?

ISO 27002:2022, control 5.2 — information security roles and responsibilities — is one of the most important controls in ISO 27002:2022. It is a modification of control 6.1.1 in ISO 27002:2013 and it defines how organisations should define and allocate information security roles and responsibilities.

Information Security Roles and Responsibilities Explained

The organisation’s head, the chief information security officers (CISOs), the IT service management (ITSMs), the system owners, and the system users all contribute to the robustness of information security. This section summarises and discusses the responsibilities of those who hold these roles.

The leader of the organisation bears the brunt of the responsibilities

Information security is your responsibility as the CEO of your agency. In addition, you serve as the organisation’s accrediting body.

Information security is the responsibility of the CISO

Good practices in the security sector and in governance are what CISOs are responsible for. Having this position in place guarantees that information security is properly managed at the highest levels of the organisation.

IT service management (ITSM) is responsible for implementing security measures as well as providing expertise

An ITSM is a high-ranking official in the company. System administrators work in conjunction with the chief information security officer to carry out the chief executive’s strategic directives.

Owners of systems are responsible for maintaining and operating them

An owner is required for every system. As a result, it is incumbent upon every system owner to guarantee adherence to IT governance rules and fulfilment of business needs.

System users safeguard systems by adhering to policies and procedures

System users are more likely to adhere to security rules and procedures if there is a strong security culture in place. Every system has inherent dangers, and it is up to the users to take responsibility for mitigating such dangers.

Addressing this control is critical for ensuring that each employee understands what they’re responsible for when it comes to protecting data, systems and networks. Admittedly, this is a challenge for many companies, especially small ones where the employees typically wear more than one hat.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Attributes Table

An attributes section is now included in the latest version of ISO 27002. Defining attributes is a way to classify controls. These allow you to easily match your control selection with typical industry terminology. The attributes for control 5.2 are:

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive#Confidentiality
#Integrity
#Availability
#Identify#Governance#Governance and Ecosystem
#Resilience

What Is The Purpose of Control 5.2?

The purpose of control 5.2 is to establish a defined, approved and understood structure for the implementation, operation and management of information security within the organisation. This is a formal organisational structure that assigns responsibility for information security throughout the organisation.

Control 5.2 Explained

Control 5.2 addresses the implementation, operation and management of roles and responsibilities for information security in an organisation according to the framework as defined by ISO 27001.

The control states that information security roles and responsibilities should be well defined and that everyone involved should understand their role. Typically, assets are assigned a designated owner who assumes responsibility for their day-to-day care.

However, depending on the size of the organisation and the available resources, information security can be handled by a dedicated team or additional responsibilities assigned to current employees.

What Is Involved and How To Meet The Requirements

Allocating roles and responsibilities for information security is crucial for ensuring that the organisation’s information security is maintained and enhanced. To meet the requirements for this control, the allocation of roles should be formalised and documented, e.g., in a table form or in the form of an organisational chart.

  • The organisation should define the responsibilities and accountabilities for information security within the organisation and assign them to specific management job functions or roles.
  • This control should ensure that there is clarity with regard to the various roles and responsibilities within the organisation, in order to ensure that appropriate management attention is paid to information security.
  • Where appropriate, further training for individual sites and information processing facilities should be provided to help fulfil these duties.

The intent here is to ensure that clear roles, responsibilities and authorities are assigned and understood throughout the organisation. In order to ensure effective segregation of duties, the roles and responsibilities should be documented, communicated and applied consistently across the organisation.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Differences Between ISO 27002:2013 and 27002:2022

As already pointed out, control 5.2 in ISO 27002:2022, Information Security Roles and Responsibilities, is not a new control. This is simply a modified control found in ISO 27002:2013 as control 6.1.1.

The purpose of Control 5.2 has been defined, and new implementation instructions have been included in the most recent revision of ISO 27002. While the essence of the two controls are basically the same, there are slight improvements in the 2022 version.

For example, ISO 27002:2022 states that Individuals who assume a specific information security function should be competent in the knowledge and skills required by the role and supported to remain up to speed with advances linked to the role and necessary to fulfil the obligations of the role. This point is not a part of the 2013 version.

Additionally, the implementation guidelines of both versions are slightly different. Let us compare sections of the two below:

ISO 27002:2013 states the areas for which individuals are responsible should be stated. These areas are:

a) the assets and information security processes should be identified and defined;

b) the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented;

c) authorisation levels should be defined and documented;

d) to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;

e) coordination and oversight of information security aspects of supplier relationships should be identified and documented.

ISO 27002:2022 is more condensed. It simply states that the organisation should define and manage responsibilities for:

a) protection of information and other associated assets;

b) carrying out specific information security processes;

c) information security risk management activities and in particular acceptance of residual risks (e.g. to risk owners);

d) all personnel using an organisation’s information and other associated assets.

Both control versions however suggest that organisations can appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.

Who Is In Charge Of This Process?

An information security manager is often appointed by companies to oversee the creation and execution of security measures and to aid in the detection of potential threats and controls.

Resourcing and putting the controls in place will typically fall to individual managers. A frequent practice is to designate an individual for each asset, who is then in charge of the asset’s ongoing security.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

How ISMS.online Helps

You are not expected to do much in terms of meeting the requirements for the new ISO 27002:2022 standard except upgrading your ISMS processes to reflect the improved controls, if your in-house team cannot handle this, ISMS.online can help.

In addition to providing a sophisticated cloud-based framework for documenting ISMS procedures and checklists to assure compliance with established norms, ISMS.online also streamlines the ISO 27001 certification process and the ISO 27002 implementation process.

All of your ISMS solutions can be managed in a centralised location thanks to our cloud-based software. You can use our easy-to-use application to keep track of anything that is required to verify conformity with ISO 2K7 specifications.

Implementing ISO 27002 is simplified with our intuitive step-by-step workflow and tools that include frameworks, policies and controls, actionable documentation and guidance. You can define the scope of the ISMS, identify risks, and implement controls using our platform – in just a few clicks.

We also have an in-house team of information technology specialists that will provide you with advice and assistance so that you can demonstrate compliance to standard and dedication to information security to your customers.

In order to learn more about how ISMS.online can assist you in achieving your ISO 2K7 objectives, please call us at +44 (0)1273 041140.

Get in touch today to book a demo.

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Simplify your compliance
Get your free guide

Streamline your workflow with our new Jira integration! Learn more here.