How to do organizational roles, responsibilities and authorities in ISO27001 (Clause 5.3)
The principle behind this is that people in the organisation need to be clear about what part they have to play in making sure all is well with information security in the organisation. As an auditor I have met senior people in organisations who when I ask the question “What part do you play with respect to information security” have given me blank looks. This is not good.
What roles should you define?
ISO27001 mandates implicitly or explicitly three specific roles that you must have:
? A manager of the Information Security Management System (ISMS). I.e. someone who looks after the ISMS and makes sure all is well with the ISMS.
? Someone who reports on the performance of the ISMS to top management.
? Internal auditor.
This is all the formal roles you must assign. There are some other clauses in ISO27001 that can be interpreted as implying some other roles but I suggest you keep it simple and just view the above 3 as being the only mandatory roles required by ISO27001.
These are roles and so need to be allocated to individuals. In most organisations these will be part time roles. The first two of these are usually assigned to the same person. The internal auditor role could be assigned someone external to the organisation and of course may change over time.
Other typical people in an organisation that are likely to have some information security responsibilities are: Information Security Manager, CTO, CEO, COO, CIO, Security Architect, Facilities Manager and risk owners but of course this will vary considerably depending on the organisation.
There are a few ways of “finding” such people, for example:
1) Anyone in the organisation with the word “security” in their job title.
2) If job descriptions are available then searching for the word “security” can indicate some of these people.
3) If there is some kind of information security committee then all the attendees should be on the list.
Of course everyone in the organisation plays some part with respect to information security but I suggest you focus on the senior people and any others with specific roles – for example security architect.
Make a list of these roles/people including the 3 mandatory roles. These are the important roles/people with respect to information security.
For each of these you now need to be clear about what their responsibilities and authorities are with respect to information security. This is usually a paragraph or two for each one and is usually represented either as roles or as responsibilities associated with existing jobs in the organisation.
A few examples
Below are a few possible examples of some possible roles that either:
? already exist in the organisation (e.g. CEO), or
? are specific for the ISMS and are likely to be allocated to an individual with other responsibilities (e.g. ISMS Manager).
Some of these examples are a bit questionable really but you get the idea.
Chief Executive Officer (CEO)
The CEO is accountable to the Board for the security of information in the organisation. The CEO ensures that information security retains a high profile within the organisation and that adequate resources are provided to achieve the information security objectives.
Chief Operating Officer (COO)
The COO is responsible for the ongoing management of the information security risks of the organisation.
Chief Technical Officer (CTO)
The CTO ensures that IT systems and processes are in line with the security policies, business partner requirements and relevant standards. The CTO also ensures that sufficient IT resource is available for the appropriate design and maintenance of system security.
领英推荐
Information Security Manager
The Information Security Manager is responsible for ensuring that the necessary policies, processes and practices are in place to help ensure that the organisation manages information security in line with the organisation’s objectives.
Information Security Management System Manager (ISMSM)
The ISMSM is responsible for managing and operating the ISO27001 compliant ISMS. The ISMSM also reports as necessary on the performance of the ISMS.
Internal Auditor
In accordance with the defined Internal Audit processes and schedules the Internal Auditor is responsible for undertaking in an objective and impartial way the regular “health checks” of the implementation of the ISMS.
How should you document this?
There is no formal requirement in ISO27001 to document this but I recommend that you do so. There are a few different ways of doing this I suggest you use whatever works best for you:
1)?In the information security policy
At a high level you put some statements into your information security policy about the key roles. I usually use this approach. See https://www.dhirubhai.net/pulse/example-information-security-policy-iso27001-clause-52-chris-hall/
2)?Create a separate document “Organizational roles, responsibilities and authorities”
You just list them out in a separate document.
3)?In the job descriptions
In organisations with formal job descriptions these should include the information security responsibilities.
4)?In personal objectives – e.g. as part of yearly appraisals
It is reasonable that people with information security responsibilities have personal objectives related to information security. In large organisations with very formal approaches to this then these would be documented. But even in an organisation with 3 people it is important that all those 3 people have a clear understanding of their personal objectives with respect to information security.
Communication of these roles
At the risk of stating the obvious it is important that all the people in these roles know what that means to them. And take them seriously.
Any one of those people should be able to answer such questions as :
? “What part do you play with respect to information security in your organisation”.
? “Can you explain how you do this?”
? “Can you give an example where you have taken information security into account in your decision making”.
? “Can you give me an example of how you promote information security in your sphere of influence?”
If they hesitate or cannot answer then that is bad.
Not only that but it is also important that other people in the organisation know about these roles and who has responsibility for what. It is reasonable to be able to ask anyone in the organisation “Who in the organisation looks after information security?” and get some sort of answer. This answer might be on the lines of “I play a part but there is also an information security manager and the CTO makes sure all is well with IT security”. However it is of course not reasonable to expect everyone in the organisation to be able to fully answer a question of this type.
Anything else?
Yes. Again at the risk of stating the obvious it is important that all these people have the necessary skills/competence to undertake their roles. This is requirement 7.2 in ISO27001.
Chris
A list of my article is in here ?https://www.btrp.co.uk/Articles2
IT & InfoSec @ Hitec SRL | ISO 27001 Practitioner & Auditor | Process Improvement Expert | Blockchain & Mobile Tech Enthusiast
1 年Great post! Role segregation would also mean that who audits is different from who keeps / tracks records of ISMS and.. also different from who operates within the scope of the ISMS on a regular basis? I heard that approach lots of times. It's crystal clear that internal Auditor role is a different person. However, sometimes the other part of the statement not to clear. Specially IMHO at small companies which can't, sometimes, perhaps, afford CIO. CISO roles or within the scope of application of the ISMS can't have part time people operating and also reporting, like a conflict of interest. Would like to hear your thoughts in this Chris Hall thanks a lot !
In strict heiarchies this works like a charm....on the other hand in deeply democratic and distributed fiefdom this is a huge challenge.
Information Security Specialist | ISO 27001 Expert | Risk Management Specialist | Internal Auditor
1 年Thanks for posting
Consultant & Trainer - Information Security, Data Protection & Privacy
1 年Thanks for sharing.
Hi Chris, If you are thinking extremly that you have not any identified risks, how do you treat Annex A in this case? Regards Toby