How to Implement ISO 27001 Annex A 5.2: A Practical Guide to Roles and Responsibilities

/ By
How to Implement ISO 27001 Annex A 5.2

If you have ever tried to organise a group dinner where nobody knew who was bringing the drinks, who was cooking, or who was cleaning up, you already understand why ISO 27001 Annex A 5.2 exists. In the world of information security, leaving tasks to “someone” usually means they get done by “no one.”

Annex A 5.2 is all about Information Security Roles and Responsibilities. It sounds dry, but it is actually the backbone of your entire Information Security Management System (ISMS). If you don’t get this right, your policies are just paperweights.

Let’s walk through exactly how to implement this control, keep your auditor happy, and more importantly actually secure your organization.

Table of contents

What is Annex A 5.2 Actually Asking For?

The requirement is deceptively simple: Information security roles and responsibilities should be defined and allocated according to the organization’s needs.

In plain English, this means you need to:

  • Figure out what security tasks need doing.
  • Decide who is going to do them.
  • Write it down.
  • Make sure those people actually know they are responsible.

This isn’t just about hiring a CISO (Chief Information Security Officer). It’s about ensuring that from the CEO down to the new intern, everyone knows where they fit into the security puzzle.

Step 1: Identify Your Security Needs

Before you start assigning names to boxes, you need to know what the boxes are. You can’t assign responsibility for “patch management” if you haven’t decided that patching is a critical control for your business (spoiler: it is).

Look at your risk assessment and your Statement of Applicability. What needs to happen to keep your data safe? Common responsibilities include:

  • Leadership oversight: Who takes the ultimate blame (and credit) for security?
  • Risk management: Who decides which risks are acceptable?
  • Asset protection: Who owns the laptop, the server, or the customer database?
  • Incident response: Who do you call when things go wrong?
  • User access reviews: Who checks that ex-employees are locked out?

Step 2: Define the Roles (Not Just Job Titles)

A common mistake is thinking you need to create brand new job titles for everything. You don’t. In fact, for smaller organizations, that’s impossible. You just need to map security responsibilities to existing roles.

Here are the key players you usually need to define:

Senior Management

Top management cannot delegate accountability. They are responsible for ensuring the ISMS achieves its intended outcomes. They need to approve policies and provide resources (budget and people).

The Information Security Manager / CISO

This is the person steering the ship. They monitor the ISMS, run the audits, and report to management. In a small company, this might be the CTO or an IT Manager wearing a “Security Hat.”

Asset Owners

Every piece of data and hardware needs a “parent.” The Asset Owner is responsible for ensuring their asset is classified and protected correctly throughout its lifecycle.

All Employees

Yes, everyone. Every single employee has a role, usually defined in your Acceptable Use Policy. Their responsibility is to follow the rules, report incidents, and not write their password on a sticky note.

Step 3: Allocation and Segregation of Duties

Once you have your list of duties, you need to assign them. This brings us to a critical concept: Segregation of Duties (often referenced in Annex A 5.3, but vital here too).

The golden rule is that the person who does the thing shouldn’t be the person who checks the thing. For example:

  • The person who requests a new user account shouldn’t be the one to approve it.
  • The developer who writes the code shouldn’t be the one pushing it to the live production environment without checks.

Can one person hold multiple roles? Absolutely. In a startup, the CEO might also be the Head of Sales and the Risk Owner. That is fine, provided they have the competence to do it and you aren’t creating a conflict of interest where they are auditing their own homework.

Step 4: Documenting Everything (The RACI Matrix)

If it isn’t written down, it didn’t happen. Auditors love documentation. The best way to handle this is often a RACI Matrix. This chart lists tasks and defines who is:

  • Responsible (The doer)
  • Accountable (The buck stops here)
  • Consulted (Needs to provide input)
  • Informed (Needs to be kept in the loop)

For those who want to speed up this process, utilizing pre-made resources can be a lifesaver. Platforms like Hightable.io offer comprehensive ISO 27001 toolkits and templates, including role matrices, which can save you days of drafting time. Using a template ensures you don’t miss standard roles required for compliance.

Step 5: Communication and Competence

Writing a document is easy; getting people to read it is hard. You must communicate these roles.

When an auditor walks in, they won’t just look at your org chart. They will walk up to a random employee and ask, “What are your responsibilities regarding information security?”

If the employee stares blankly, you have a non-conformity. Ensure you:

  • Include security responsibilities in job descriptions.
  • Cover roles during onboarding.
  • Refresh this knowledge during annual security awareness training.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

Common Pitfalls to Avoid

Implementation is rarely perfect on the first try. Watch out for these traps:

  • The “Ghost” Employee: Assigning roles to people who left the company six months ago. Keep your documents current!
  • Over-reliance on one person: If “Dave” is the only one who knows how to restore the backups and manage the firewall, you have a single point of failure.
  • Vague definitions: Avoid saying “IT is responsible.” Which person in IT? Specificity creates accountability.

Conclusion

Implementing ISO 27001 Annex A 5.2 isn’t about creating bureaucracy; it’s about clarity. When everyone knows what they are supposed to protect and how, your organization becomes more resilient by default.

Start by mapping your needs, be realistic about who can do what, and document it clearly. Whether you build your own matrix or use a toolkit from a provider like Hightable.io, the goal is the same: a security culture where everyone knows their part.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Stuart Barker - High Table - ISO27001 Director
Stuart Barker, an ISO 27001 expert and thought leader, is the author of this content.
Shopping Basket
Scroll to Top