ISO 27001:2022 Annex A 5.2 Information security roles and responsibilities

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.2 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.2 requires organizations to define and allocate information security roles and responsibilities based on their specific needs. This control ensures that everyone, from the Board of Directors to the newest employee, knows exactly what is expected of them regarding data protection. Without clearly defined roles, critical security tasks (like incident response or patch management) can easily fall through the cracks, leading to audit failures and security breaches.

You must clearly define who is in charge of information security. This means spelling out what each person’s job is.
After defining the roles, you need to assign people to them and write everything down. This makes sure everyone knows their part.
The main leaders in the company are responsible for making sure these roles are set up correctly and that people have what they need to do their jobs.

Core requirements for compliance include:

Explicit Definition: You must clearly document what each security role does. This is typically achieved through a Roles and Responsibilities Matrix or by including security duties within standard job descriptions.
Allocation to Competent Personnel: Roles must be assigned to individuals who have the skills and authority to perform them. In smaller organizations, it is common (and acceptable) for one person to hold multiple roles.
Management Oversight: Senior leadership is accountable for ensuring these roles are correctly set up and adequately resourced with the necessary tools, time, and training.
Avoidance of Conflict: Responsibilities should be allocated to prevent “conflict of interest.” For example, the person who implements a security change should ideally not be the only person who approves it.
Regular Review: Roles and responsibilities must be reviewed at least annually or whenever there is a significant change in the organization, such as a restructuring or a major technology shift.

Audit Focus: Auditors will look for “The Ownership Gap”:

Staff Interviews: “Who is responsible for managing your firewall?” or “What is your specific role if a data breach occurs?”
Evidence of Assignment: “Show me where your Chief Information Security Officer (CISO) role is formally documented and who has been appointed to it.”
Resource Support: They will check if the people assigned to these roles have the actual time and budget to carry them out.

Common Roles Matrix (RACI Example):

Activity	CISO	CEO / Board	IT Manager	HR Manager	All Staff	ISO 27001:2022 Control
Approve Policy	C (Consulted)	A (Accountable)	I (Informed)	I	I	Annex A 5.1 / 5.2
Manage Incidents	R (Responsible)	A	C	C	I	Annex A 5.2 / 5.24
Patch Systems	C	I	R	I	I	Annex A 5.2 / 8.8
Screen New Hires	I	I	I	R	I	Annex A 5.2 / 6.1
Report Phishing	I	I	I	I	R	Annex A 5.2 / 6.3

What is ISO 27001 Annex A 5.2?
Watch the ISO 27001 Annex A 5.2 Video Tutorial
ISO 27001 Annex A 5.2 Podcast
ISO 27001 Annex A 5.2 Implementation Guide
How to implement ISO 27001 Annex A 5.2
Common Roles Matrix
ISO 27001 Roles and Responsibilities Template
ISO 27001 Annex A 5.2 Implementation Checklist
How to audit ISO 27001 Annex A 5.2
How to pass the ISO 27001 Annex A 5.2 audit
What an auditor looks for
Top 3 ISO 27001 Annex A 5.2 Mistakes and How to Fix Them
Applicability of ISO 27001 Annex A 5.2 across different business models.
Fast Track ISO 27001 Annex A 5.2 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.2 FAQ
Further Reading
Controls and Attribute Values

What is ISO 27001 Annex A 5.2?

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities is about ensuring the you have the required roles for information security and that those roles and responsibilities are documented.

It is important to have competent people in place implementing and operating the information security management system.

ISO 27001 Annex A 5.2 is an ISO 27001 control that requires an organisation to define information security roles and responsibilities and allocate those to people.

The current version of the ISO 27001 standard is ISO/IEC 27001:2022, which came out in October 2022. In this standard, the control is called “Information Security Roles and Responsibilities”

ISO 27001 Annex A 5.2 Purpose

The purpose of ISO 27001 Annex A 5.2 is to ensure that a defined, approved and understood structure is in place for the implementation and operation of the information security management system.

ISO 27001 Annex A 5.2 Control Objective

The official goal in the standard is simple: You should clearly define and give out all information security jobs and tasks based on your company’s needs.

ISO 27001 defines ISO 27001 Annex A 5.2 Roles and Responsibilities as:

Information security roles and responsibilities should be defined and allocated according to the organisation needs.
ISO27001:2022 Annex A 5.2 Information Security Roles and Responsibilities

Watch the ISO 27001 Annex A 5.2 Video Tutorial

In the video ISO 27001 Annex A 5.2 Roles and Responsibilities Explained I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.2 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.2 Roles and Responsibilities The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.2 Implementation Guide

To implement this control you should have clear plans and policies. Here are some important steps:

work out what roles you need
decide on what responsibilities those roles have
pick people in your organisation and assign those roles and responsibilities to them
document it
publish it
have them acknowledged by staff
review them at regular intervals

How to document roles and responsibilities

You are going to need copies of the relevant standards for information security.

You then need to work through policies, research organisational best practice, and work out exactly what information security roles and responsibilities you need.

When you implement it, depending on the size of your organisation, it is not uncommon for one person to hold more than one role.

You may be thinking, if it is one person doing all the work why do I need to document so many roles?

The short answer is because the ISO 27001 standard requires it and if you are going for ISO 27001 certification then you need it.

The longer answer is that as you grow, more people will take on these roles and spread the work load.

How to identify the mandatory roles you need

You start with the list of controls from Annex A that you have chosen. Then, you will figure out what roles are needed for each of those controls.

Once you have identified all the roles, you will assign them to people in your organisation. It’s important to make sure the person you choose is able to perform the role and that their new duties won’t conflict with their current responsibilities.

Can one person hold more than one role?

If you work in a small business, you might wonder if you need all these roles and if one person can handle multiple roles. The answer is yes, you do need certain specific roles, and yes, one person can indeed hold more than one role.

What is an ISO 27001 Management Review Team?

This group sits above the information security management system. It has very specific requirements and a defined role. The team’s responsibilities include:

Oversight and approval of policies and procedures.
Ensuring continual improvement of the system.
Reviewing the risk register.

How to implement ISO 27001 Annex A 5.2

Implementing ISO 27001 Annex A 5.2 requires a transition from general security awareness to defined technical accountability. By formalising exactly who is responsible for specific security outcomes, an organisation eliminates the “security gap” where critical tasks are overlooked. This action-oriented guide outlines the necessary steps to provision roles, formalise authorities, and ensure that your Information Security Management System (ISMS) has the human infrastructure required for compliance.

1. Formalise Top Management Accountability

Establish the foundation of the ISMS by documenting the ultimate accountability of the Board or Executive team. This action results in a governance layer that ensures security objectives are aligned with business goals and that adequate resources are provisioned.

Incorporate information security performance into the Board of Directors’ annual agenda.
Document the appointment of a member of top management as the ultimate “Accountable” party for the ISMS.
Formalise the approval process for the Information Security Policy and Risk Treatment Plan.

2. Provision an Information Security Lead Role

Assign the day-to-day operation of the ISMS to a competent individual, such as a CISO or Information Security Manager. This result-focused step ensures that a central point of contact exists for all security-related decision-making and reporting.

Define the specific authority of the Security Lead to halt business processes if significant risks are identified.
Establish direct reporting lines from the Security Lead to top management to ensure unbiased risk communication.
Map specific Identity and Access Management (IAM) administrative roles to this position to facilitate oversight.

3. Execute a RACI Matrix for Security Processes

Identify every security control within your Statement of Applicability and assign specific roles to each. This action results in a clear map of who is Responsible, Accountable, Consulted, and Informed for every technical and organisational control.

Utilise a formal RACI matrix to define ownership of tasks such as backup verification, log reviews, and patch management.
Identify “Asset Owners” for every item in your Information Asset Register as required by Annex A 5.9.
Document “Rules of Engagement” (ROE) for third-party contractors to ensure they understand their specific security boundaries.

4. Formalise Security Duties in Job Descriptions

Integrate specific security requirements into the employment lifecycle by updating standard job descriptions. This action results in security being a contractual obligation for all staff rather than an optional activity.

Include “Adherence to the Acceptable Use Policy” as a core requirement for all personnel roles.
Define specific technical security duties for IT staff, such as firewall configuration or vulnerability remediation.
Establish a formalised sign-off process where employees acknowledge their specific security responsibilities upon hire and during annual reviews.

5. Execute Periodic Role and Authority Reviews

Perform a bi-annual review of all assigned security roles to ensure they remain appropriate as the organisation scales. This result-oriented step ensures that “privilege creep” is identified and that responsibilities are redistributed following organisational changes.

Review and update the ISMS organisational chart to reflect recent joiners, movers, and leavers.
Verify that individuals assigned to specific security roles still possess the necessary competence and training.
Document the results of these reviews as mandatory evidence for your ISO 27001 Stage 2 audit.

Common Roles Matrix

Activity	CISO	CEO / Board	IT Manager	HR Manager	All Staff
Approve Security Policy	C (Consulted)	A (Accountable)	I (Informed)	I	I
Manage Incidents	R (Responsible)	A	C	C	I
Patch Systems	C	I	R	I	I
Screen New Hires	I	I	I	R	I
Report Phishing	I	I	I	I	R

ISO 27001 Roles and Responsibilities Template

The ISO 27001 Assigned Roles and Responsibilities template has the roles and responsibilities already written out and all you have to do is put the names of the people in it.

Roles and Responsibilities Template

ISO 27001 Annex A 5.2 Implementation Checklist

1. Define Key Roles and Responsibilities

Challenge: Identifying and defining all necessary roles and responsibilities related to information security.

Solution: Conduct a thorough risk assessment to understand the specific security needs of the organisation. Involve key stakeholders and subject matter experts in the process.

2. Document Roles and Responsibilities

Challenge: Ensuring that all roles and responsibilities are clearly documented and easily accessible to all employees.

Solution: Create a centralised repository for all information security related documentation, such as a shared drive or an internal wiki.

3. Assign Roles and Responsibilities

Challenge: Matching the right individuals to the appropriate roles and responsibilities based on their skills, experience, and job functions.

Solution: Consider factors such as job descriptions, skill assessments, and employee preferences when assigning roles and responsibilities.

4. Communicate and Train

Challenge: Ensuring that all employees understand their roles and responsibilities related to information security.

Solution: Conduct regular training sessions and awareness campaigns to educate employees on their specific responsibilities.

5. Obtain Acknowledgement

Challenge: Ensuring that all employees acknowledge their understanding and acceptance of their assigned roles and responsibilities.

Solution: Implement a system for tracking and recording employee acknowledgements, such as signed forms or online training modules.

6. Monitor and Review

Challenge: Regularly monitoring and reviewing the effectiveness of role and responsibility assignments.

Solution: Conduct periodic reviews to assess whether the current assignments are still appropriate and effective. Consider feedback from employees and managers.

7. Address Changes

Challenge: Ensuring that roles and responsibilities are updated to reflect changes in the organisation, technology, and threat landscape.

Solution: Regularly review and update role and responsibility assignments as needed. Communicate any changes to all affected employees.

8. Ensure Adequate Resources

Challenge: Providing employees with the necessary resources and support to fulfil their information security responsibilities.

Solution: Provide employees with the necessary training, tools, and resources to effectively perform their security-related duties.

9. Promote Accountability

Challenge: Ensuring that individuals are held accountable for fulfilling their information security responsibilities.

Solution: Establish clear consequences for non-compliance with information security policies and procedures. Conduct regular audits and reviews to identify and address any issues.

10. Continual Improvement

Challenge: Continuously improving the process for defining, assigning, and managing information security roles and responsibilities.

Solution: Regularly gather feedback from employees and stakeholders to identify areas for improvement. Conduct periodic reviews of the process and make necessary adjustments.

How to audit ISO 27001 Annex A 5.2

To conduct an internal audit of ISO 27001 Annex A 5.2 Roles and Responsibilities use the following audit checklist which sets out what to audit and how to audit it.

1. Review Role and Responsibility Documentation

Examine the documented information security roles and responsibilities matrix.
Verify that it includes all key roles and responsibilities within the organisation.
Check for clarity, completeness, and consistency in the documentation.

2. Assess Role and Responsibility Assignments

Determine if roles and responsibilities are appropriately assigned to individuals based on their skills, experience, and job functions.
Evaluate whether the workload is appropriately distributed across individuals.
Check for any potential conflicts of interest or overlaps in responsibilities.

3. Verify Employee Understanding

Interview employees to assess their understanding of their own roles and responsibilities related to information security.
Observe employee behaviour to determine if they are fulfilling their assigned responsibilities.
Review training records to ensure that employees have received adequate training on their security-related duties.

4. Examine Role and Responsibility Communication

Verify that roles and responsibilities are effectively communicated to all employees through appropriate channels (e.g., employee handbooks, intranet, training sessions).
Check for evidence of employee acknowledgement of their understanding and acceptance of their roles and responsibilities.

5. Assess Role and Responsibility Reviews

Determine if there is a process in place for regularly reviewing and updating roles and responsibilities.
Evaluate the effectiveness of the review process in ensuring that roles and responsibilities remain relevant and appropriate.
Check for documentation of role and responsibility reviews and any resulting changes.

6. Evaluate Resource Allocation

Assess whether employees have the necessary resources (e.g., training, tools, support) to effectively fulfil their information security responsibilities.
Identify any resource gaps and recommend appropriate corrective actions.

7. Examine Accountability Mechanisms

Determine if there are clear mechanisms in place for holding individuals accountable for fulfilling their information security responsibilities.
Evaluate the effectiveness of disciplinary actions taken for non-compliance with information security policies and procedures.

8. Interview Key Personnel

Conduct interviews with key personnel, such as senior management, information security officers, and employees.
Gather their perspectives on the effectiveness of the organisation’s approach to defining, assigning, and managing information security roles and responsibilities.

9. Check for Compliance with Legal and Regulatory Requirements

Verify that the organisation’s approach to roles and responsibilities complies with all applicable laws and regulations.

10. Evaluate Overall Effectiveness

Assess the overall effectiveness of the organisation’s approach to defining, assigning, and managing information security roles and responsibilities.
Identify areas for improvement and make recommendations for enhancing the effectiveness of the system.

How to pass the ISO 27001 Annex A 5.2 audit

To pass the audit of ISO 27001 Annex A 5.2 you will make sure that you:

Write an ISO 27001 roles and responsibilities document
Set out what roles you have and the responsibilities those roles undertake
Create an organisation of the roles to show how they work together
Assign people to those roles and document when they were assigned
Review and approve the roles and responsibilities document
Publish the roles and responsibilities document to a place everyone that needs to see them can see them
Plan to review your roles and responsibilities at least annually or if significant change occurs
Keep records of your review and the changes

What an auditor looks for

The audit is going to check a number of areas for compliance with ISO 27001 Annex A 5.2 Roles and Responsibilities. Lets go through them:

1. That you have documented your roles and responsibilities

What this means is that you will have a document that sets out what the roles and responsibilities are that are involved in the ISO 27001 implementation and operation of your information security management system. What needs doing and what will be done.

2. That you have have allocated your roles and responsibilities

For the roles and responsible that you have defined and documented you are going to allocate people to them to do the work. Has each defined role been allocated to someone and can you say who if asked?

3. That allocated people are competent

We allocate people but not just any old people. The people that do the role have to be competent to perform the role. This usually means the checking of qualifications, training and / or experience.

Top 3 ISO 27001 Annex A 5.2 Mistakes and How to Fix Them

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 5.2 Roles and Responsibilities are:

1. You have not documented the actual roles you require

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.

2. You allocated a role to someone that no longer works here

Prior to the audit check that roles are assigned to people that actually work here. You will be surprised how often this trips people up. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no ‘comments’ in are all good practices.

Applicability of ISO 27001 Annex A 5.2 across different business models.

Business Type	Applicability & Interpretation	Examples of Control
Small Businesses	“Multiple Hats.” You don’t need a dedicated CISO. Compliance means assigning security duties to existing roles (e.g., Office Manager = Security Lead) and documenting it clearly.	• Org Chart Update: Adding “Information Security Manager” as a secondary title to the Director’s job description. • Simple Statement: A policy line stating: “The Business Owner is accountable for all security decisions, while the IT Provider is responsible for patching.”
Tech Startups	Job Descriptions & Contracts. As you hire, roles blur. Compliance requires updating employment contracts to include specific security responsibilities (e.g., “Developer is responsible for secure coding”).	• The “Security Champion”: Formally designating one developer in each squad to review PRs for security, even if they aren’t a full-time security engineer. • RACI Matrix: A simple table defining who is Responsible, Accountable, Consulted, and Informed for critical incidents like “Data Breach.”
AI Companies	AI Governance Roles. Beyond standard IT security, you need roles for “Model Safety” and “Data Ethics.” Auditors look for clear ownership of AI-specific risks.	• Chief AI Officer (CAIO): Assigning specific accountability for AI bias and safety testing to a senior technical leader. • Data Steward: Designating a specific role responsible for the “Provenance” and “Copyright” of training data, separate from the engineering team.

Applicability of ISO 27001 Annex A 5.2 across different business models.

Fast Track ISO 27001 Annex A 5.2 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.2 (Information security roles and responsibilities), the requirement is to clearly define and allocate roles and responsibilities for information security throughout the organization. This ensures accountability and a structured approach to managing your security system.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Asset Ownership	Rents access to your internal structure; if you cancel the subscription, your documented role assignments and history vanish.	Permanent Assets: Fully editable Word/Excel Roles and Responsibilities Matrices that you own forever.	A localized “Roles and Responsibilities Matrix” defining specific security duties for the CISO, IT Manager, and HR.
Operational Utility	Attempts to “automate” assignments via dashboards that cannot decide who is best suited for manual tasks like physical key management.	Governance-First: Provides pre-written role descriptions to formalize your existing team structure into an auditor-ready format.	A “Job Description” including specific ISO 27001 clauses to prove that security accountability is part of employment terms.
Cost Efficiency	Charges a “Headcount Tax” or “Seat Fee” that scales aggressively as your organization hires more personnel.	One-Off Fee: A single payment covers your role governance for 3 roles or 300, with zero recurring costs.	Allocating budget to professional security training for staff rather than monthly “governance dashboard” subscription fees.
Structural Freedom	Mandates rigid RACI formats that often fail to align with lean startup cultures or complex matrix-management environments.	100% Agnostic: Procedures adapt to your operating style—whether you have one person wearing five hats or specialized teams.	The ability to evolve your organizational chart and security committee without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 5.2, the auditor wants to see that you have a formal matrix of roles and responsibilities and proof that people know what they are. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.2 FAQ

What is ISO 27001 Annex A 5.2?

ISO 27001 Annex A 5.2 is an organisational control that requires information security roles and responsibilities to be clearly defined and assigned in accordance with the organisation’s needs.

Defines who is accountable for specific security tasks.
Prevents overlaps or gaps in security management.
Ensures that security is integrated into job descriptions.
Facilitates effective communication between stakeholders.

Is a CISO mandatory for ISO 27001 compliance?

No, the standard does not mandate a specific “CISO” job title, but it does require that the responsibilities associated with that role are assigned to a competent individual or group.

Small organisations may appoint an Information Security Manager instead.
Roles can be outsourced to a Virtual CISO (vCISO).
Accountability for security must remain within the internal leadership team.
The individual assigned must have the authority to enforce security policies.

What is the difference between Clause 5.3 and Annex A 5.2?

Clause 5.3 is a high-level management requirement for assigning authority, whereas Annex A 5.2 is the operational control used to document and implement those specific security roles.

Clause 5.3 belongs to the “Leadership” section of the core standard.
Annex A 5.2 provides the practical framework for the Statement of Applicability (SoA).
Auditors will look for Clause 5.3 during management interviews and Annex A 5.2 during documentation reviews.
Both work together to ensure the ISMS is governed and executed.

What are the primary security roles in an ISMS?

Under ISO 27001, security responsibilities are typically distributed across governance, management, and technical layers.

Top Management: Responsible for strategy, resources, and commitment.
ISMS Manager: Responsible for the day-to-day operation of security controls.
Asset Owners: Responsible for the protection of specific data or systems.
All Personnel: Responsible for adhering to acceptable use and security policies.

How should security responsibilities be documented?

Organisations must document security roles using formalised records that are accessible and clear to all relevant personnel.

Incorporate security duties into standard Job Descriptions (JDs).
Utilise a RACI Matrix (Responsible, Accountable, Consulted, Informed) for complex processes.
Define roles within the high-level Information Security Policy.
Include security accountability in third-party contract agreements.

Who is ultimately responsible for information security?

Top Management, such as the Board of Directors or Executive Leadership, is ultimately accountable for the effectiveness of the Information Security Management System (ISMS).

Leadership must promote a culture of security awareness.
They are responsible for approving the risk treatment plan.
Responsibility for tasks can be delegated, but the accountability for security success cannot.
Auditors will test this by looking for management review meeting minutes.

Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Identify	Governance	Governance and Ecosystem
	Integrity			Resilience
	Availability			Protection

Availability, Confidentiality, Governance, Governance and Ecosystem, Identify, Integrity, Preventive, Protection, Resilience

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.2?

ISO 27001 Annex A 5.2 Purpose

ISO 27001 Annex A 5.2 Control Objective

Watch the ISO 27001 Annex A 5.2 Video Tutorial

ISO 27001 Annex A 5.2 Podcast

ISO 27001 Annex A 5.2 Implementation Guide

How to document roles and responsibilities

How to identify the mandatory roles you need

Can one person hold more than one role?

What is an ISO 27001 Management Review Team?

How to implement ISO 27001 Annex A 5.2

1. Formalise Top Management Accountability

2. Provision an Information Security Lead Role

3. Execute a RACI Matrix for Security Processes

4. Formalise Security Duties in Job Descriptions

5. Execute Periodic Role and Authority Reviews

Common Roles Matrix

ISO 27001 Roles and Responsibilities Template

ISO 27001 Annex A 5.2 Implementation Checklist

1. Define Key Roles and Responsibilities

2. Document Roles and Responsibilities

3. Assign Roles and Responsibilities

4. Communicate and Train

5. Obtain Acknowledgement

6. Monitor and Review

7. Address Changes

8. Ensure Adequate Resources

9. Promote Accountability

10. Continual Improvement

How to audit ISO 27001 Annex A 5.2

1. Review Role and Responsibility Documentation

2. Assess Role and Responsibility Assignments

3. Verify Employee Understanding

4. Examine Role and Responsibility Communication

5. Assess Role and Responsibility Reviews

6. Evaluate Resource Allocation

7. Examine Accountability Mechanisms

8. Interview Key Personnel

9. Check for Compliance with Legal and Regulatory Requirements

10. Evaluate Overall Effectiveness

How to pass the ISO 27001 Annex A 5.2 audit

What an auditor looks for

1. That you have documented your roles and responsibilities

2. That you have have allocated your roles and responsibilities

3. That allocated people are competent

Top 3 ISO 27001 Annex A 5.2 Mistakes and How to Fix Them

1. You have not documented the actual roles you require

2. You allocated a role to someone that no longer works here

3. Your document and version control is wrong

Applicability of ISO 27001 Annex A 5.2 across different business models.

Fast Track ISO 27001 Annex A 5.2 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 5.2 FAQ

What is ISO 27001 Annex A 5.2?

Is a CISO mandatory for ISO 27001 compliance?

What is the difference between Clause 5.3 and Annex A 5.2?

What are the primary security roles in an ISMS?

How should security responsibilities be documented?

Who is ultimately responsible for information security?

Further Reading

Controls and Attribute Values

Stuart Barker