Table of contents
- ISO27002: 2022 Clause 5.2 Information Security Roles and Responsibilities
- What is ISO27001 Annex A 5.2?
- ISO27001 Annex A 5.2 Definition
- ISO27001 Annex A 5.2 Implementation Guide
- ISO27001 Annex A 5.2 Templates
- How to comply with ISO27001 Annex A 5.2
- How to pass an audit of ISO27001 Annex A 5.2
- Top 3 Annex ISO27001 A 5.2 Mistakes People Make
- Why is ISO27001 Annex A 5.2 Important?
- ISO27001 Annex A 5.2 FAQ
- Matrix of controls and attribute values
- See Also
ISO27002: 2022 Clause 5.2 Information Security Roles and Responsibilities
In this article I lay bare ISO27001 Annex A 5.2 / ISO27002: 2022 Clause 5.2 Information Security Roles and Responsibilities.
A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.2
What is ISO27001 Annex A 5.2?
ISO27001 Annex A 5.2 Information Security Roles and Responsibilities is an ISO27002:2022 control that requires an organisation to define information security roles and responsibilities and allocate those to people.
ISO27001 Annex A 5.2 Definition
The ISO27001 standard defines Annex A 5.2 as:
Information security roles and responsibilities should be defined and allocated according to the organization needs.ISO27001 Annex A 5.2
ISO27001 Annex A 5.2 Implementation Guide
You are going to have to
- work out what roles you need
- decide on what responsibilities those roles have
- pick people in your organisation and assign those roles and responsibilities to them
- document it
- publish it
- have them acknowledged by staff
- review them at regular intervals
The absolute best way to do this is to use the Assigned Roles and Responsibilities template that has the roles and responsibilities already written out and all you have to do is put the names of the people in it.
If you are resolutely dead set on going through the pain of this yourself you are going to need copies of the relevant standards for information security, about 1week of your life dedicated to this and a lot, and I mean a lot, of patience.
You then need to work through those policies, and research organisational best practice, and work out exactly what roles you need. Then work out what responsibilities they should have. We fast tracked it in our template and can tell you it is a massive ball ache.
When you finally do implement it, depending on the size of your organisation, it is not uncommon for one person to hold more than one role.
You may be thinking, if it is one person doing all the work why do I need to document so many roles?
The short answer is because the ISO27001 standard requires it and if you are going for ISO27001 certification then you need it.
The longer answer is that as you grow, more people will take on these roles and spread the work load.
ISO27001 Annex A 5.2 Templates
If you want to write these yourself I totally commend you. Maybe I also pity you in equal measure. These templates take 25 years of experience and distill it into amazing ISO27001 templates of prewritten best practice awesomeness.
How to comply with ISO27001 Annex A 5.2
To comply with ISO27001 Annex A 5.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Write a roles and responsibilities document
- Set out what roles you have and the responsibilities those roles undertake
- Create an organisation of the roles to show how they work together
- Assign people to those roles and document when they were assigned
- Review and approve the roles and reponsibilties document
- Publish the roles and responsibilities document to a place everyone that needs to see them can see them
- Plan to review your roles and responsibilities at least annually or if significant change occurs
- Keep records of your review and the changes
How to pass an audit of ISO27001 Annex A 5.2
To pass an audit of ISO27001 Annex A 5.2 you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.
Top 3 Annex ISO27001 A 5.2 Mistakes People Make
The top 3 Mistakes People Make For ISO27001 Annex A 5.2 are
#1 You have not documented the actual roles you require
You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.
#2 You allocated a role to someone that no longer works here
Prior to the audit check that roles are assigned to people that actually work here. You will be surprised how often this trips people up. Check!
#3 Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no ‘comments’ in are all good practices.
Why is ISO27001 Annex A 5.2 Important?
ISO27001 Annex A 5.2 Information Security Roles and Responsibilities is important because an information security management system needs people to manage it.
It sets our what they are managing and by documenting it you make sure you are not missing something.
We build an effective management system by setting out what needs to be done and who is doing it.
ISO27001 Annex A 5.2 FAQ
Yes. It is fine for 1 person to perform more than one role.
Possibly. It would be good practice to involve them for sure.
The roles required for ISO27001 Annex A 5.2 include as a minimum:
Information Security Leadership
Information Security Manager
Management Review Team
Third Party Supplier Manager
Business Continuity Manager
There are templates for ISO27001 Annex A 5.2 located here: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/
ISO27001 Annex A 5. Sample PDF: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/
Yes. Whilst the ISO27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO27001 Annex A 5.2. People and what they do are a fundamental part of any governance, risk and compliance framework. They are a fundamental part of any information security management system. They are explicitly required for ISO27001.
Yes. You can write the roles and responsibilities for ISO27001 Annex A 5.2 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.
ISO27001 templates for ISO27001 Annex A 5.2 are located here: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/
ISO27001 Annex A 5.2 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend templates to fast track your implementation.
ISO27001 Annex A 5.2 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the template: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/
The cost of ISO27001 Annex A 5.2 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a maybe £15/ £20.
Matrix of controls and attribute values
- Guaranteed ISO27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO27001 TOOLKIT so you can do it yourself
- ISO27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO27001 Controls
ISO/IEC 27001 Information Security Management
FREE 30 minute ISO27001 strategy session.
Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.