ISO27001 Annex A 5.2 Information Security Roles and Responsibilities Beginner’s Guide

Share with your network

ISO27002: 2022 Clause 5.2 Information Security Roles and Responsibilities

In this article I lay bare ISO27001 Annex A 5.2  / ISO27002: 2022 Clause 5.2 Information Security Roles and Responsibilities.

A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.2

What is ISO27001 Annex A 5.2?

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities is an ISO27002:2022 control that requires an organisation to define information security roles and responsibilities and allocate those to people.

ISO27001 Annex A 5.2 Definition

The ISO27001 standard defines Annex A 5.2 as:

Information security roles and responsibilities should be defined and allocated according to the organization needs.

ISO27001 Annex A 5.2

ISO27001 Annex A 5.2 Implementation Guide

You are going to have to

  • work out what roles you need
  • decide on what responsibilities those roles have
  • pick people in your organisation and assign those roles and responsibilities to them
  • document it
  • publish it
  • have them acknowledged by staff
  • review them at regular intervals

The absolute best way to do this is to use the Assigned Roles and Responsibilities template that has the roles and responsibilities already written out and all you have to do is put the names of the people in it.

If you are resolutely dead set on going through the pain of this yourself you are going to need copies of the relevant standards for information security, about 1week of your life dedicated to this and a lot, and I mean a lot, of patience.

You then need to work through those policies, and research organisational best practice, and work out exactly what roles you need. Then work out what responsibilities they should have. We fast tracked it in our template and can tell you it is a massive ball ache.

When you finally do implement it, depending on the size of your organisation, it is not uncommon for one person to hold more than one role.

You may be thinking, if it is one person doing all the work why do I need to document so many roles?

The short answer is because the ISO27001 standard requires it and if you are going for ISO27001 certification then you need it.

The longer answer is that as you grow, more people will take on these roles and spread the work load.

ISO27001 Annex A 5.2 Templates

If you want to write these yourself I totally commend you. Maybe I also pity you in equal measure. These templates take 25 years of experience and distill it into amazing ISO27001 templates of prewritten best practice awesomeness.

How to comply with ISO27001 Annex A 5.2

To comply with ISO27001 Annex A 5.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Write a roles and responsibilities document
  • Set out what roles you have and the responsibilities those roles undertake
  • Create an organisation of the roles to show how they work together
  • Assign people to those roles and document when they were assigned
  • Review and approve the roles and reponsibilties document
  • Publish the roles and responsibilities document to a place everyone that needs to see them can see them
  • Plan to review your roles and responsibilities at least annually or if significant change occurs
  • Keep records of your review and the changes

How to pass an audit of ISO27001 Annex A 5.2

To pass an audit of ISO27001 Annex A 5.2 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.

Top 3 Annex ISO27001 A 5.2 Mistakes People Make

The top 3 Mistakes People Make For ISO27001 Annex A 5.2 are

#1 You have not documented the actual roles you require

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.

#2 You allocated a role to someone that no longer works here

Prior to the audit check that roles are assigned to people that actually work here. You will be surprised how often this trips people up. Check!

#3 Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no ‘comments’ in are all good practices.

Why is ISO27001 Annex A 5.2 Important?

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities is important because an information security management system needs people to manage it.

It sets our what they are managing and by documenting it you make sure you are not missing something.

We build an effective management system by setting out what needs to be done and who is doing it.

ISO27001 Annex A 5.2 FAQ

We are a small team and 1 or 2 people do everything, is that ok?

Yes. It is fine for 1 person to perform more than one role.

Shouldn’t HR do this?

Possibly. It would be good practice to involve them for sure.

What roles are required for ISO27001 Annex A 5.2?

The roles required for ISO27001 Annex A 5.2 include as a minimum:
Leadership Team
Information Security Leadership
Information Security Manager
Management Review Team
Third Party Supplier Manager
Business Continuity Manager
Information Owners

Are there free templates for ISO27001 Annex A 5.2?

There are templates for ISO27001 Annex A 5.2 located here:

Do I have to satisfy ISO 7001 Annex A 5.2 for ISO27001 Certification?

Yes. Whilst the ISO27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO27001 Annex A 5.2. People and what they do are a fundamental part of any governance, risk and compliance framework. They are a fundamental part of any information security management system. They are explicitly required for ISO27001.

Can I write roles and responsibilities for ISO27001 Annex A 5.2 myself?

Yes. You can write the roles and responsibilities for ISO27001 Annex A 5.2 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.

Where can I get templates for ISO27001 Annex A 5.2?

ISO27001 templates for ISO27001 Annex A 5.2 are located here:

How hard is ISO27001 Annex A 5.2?

ISO27001 Annex A 5.2 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend templates to fast track your implementation.

How long will ISO27001 Annex A 5.2 take me?

ISO27001 Annex A 5.2 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the template:

How much will ISO27001 Annex A 5.2 cost me?

The cost of ISO27001 Annex A 5.2 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a maybe £15/ £20.

Matrix of controls and attribute values

Control typeInformation
security properties
Security domains

See Also


ISO/IEC 27001 Information Security Management

Share with your network
ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green
Free ISO27001 Strategy Call
Shopping Cart