Table of contents
Information Security Roles and Responsibilities
In this ultimate guide to ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities you will learn
- What is ISO 27001 Annex A 5.2
- How to implement ISO 27001 Annex A 5.2
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 5.2?
ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities is an ISO 27001 Annex A control that requires an organisation to define information security roles and responsibilities and allocate those to people.
Purpose
The purpose of ISO 27001 Annex A 5.2 is to ensure that a defined, approved and understood structure is in place for the implementation and operation of the information security management system.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.2 as:
Information security roles and responsibilities should be defined and allocated according to the organisation needs.
ISO27001:2022 Annex A 5.2 Information Security Roles and Responsibilities
Information security roles and responsibilities should be documented and allocated. It is important to have competent people in place implementing and operating the information security management system.
Implementation Guide
You are going to have to
- work out what roles you need
- decide on what responsibilities those roles have
- pick people in your organisation and assign those roles and responsibilities to them
- document it
- publish it
- have them acknowledged by staff
- review them at regular intervals
The absolute best way to do this is to use the Assigned Roles and Responsibilities template that has the roles and responsibilities already written out and all you have to do is put the names of the people in it.
If you are resolutely dead set on going through the pain of this yourself you are going to need copies of the relevant standards for information security, about 1 week of your life dedicated to this and a lot, and I mean a lot, of patience.
You then need to work through policies, research organisational best practice, and work out exactly what roles you need. Then work out what responsibilities they should have. We fast tracked it in our template and can tell you it is a massive ball ache.
When you finally do implement it, depending on the size of your organisation, it is not uncommon for one person to hold more than one role.
You may be thinking, if it is one person doing all the work why do I need to document so many roles?
The short answer is because the ISO 27001 standard requires it and if you are going for ISO 27001 certification then you need it.
The longer answer is that as you grow, more people will take on these roles and spread the work load.
Watch the Tutorial
Watch ISO 27001 Annex A 5.2 Roles and Responsibilities | Beginners Guide
ISO 27001 Templates
ISO 27001 policy templates are a fast track that are guaranteed to save you time and money. ISO 27001 Annex A 5.2 templates are focused on the roles and responsibilities for the information security management system.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to comply
To comply with ISO 27001 Annex A 5.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Write a roles and responsibilities document
- Set out what roles you have and the responsibilities those roles undertake
- Create an organisation of the roles to show how they work together
- Assign people to those roles and document when they were assigned
- Review and approve the roles and reponsibilties document
- Publish the roles and responsibilities document to a place everyone that needs to see them can see them
- Plan to review your roles and responsibilities at least annually or if significant change occurs
- Keep records of your review and the changes
How to pass an audit
To pass an audit of ISO 27001 Annex A 5.2 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with Annex A 5.2. Lets go through them
1. That you have documented your roles and responsibilities
What this means is that you will have a document that sets out what the roles and responsibilities are that are involved in the implementation and operation of your information security management system. What needs doing and what will be done.
2. That you have have allocated your roles and responsibilities
For the roles and responsible that you have defined and documented you are going to allocate people to them to do the work. Has each defined role been allocated to someone and can you say who if asked?
3. That allocated people are competent
We allocate people but not just any old people. The people that do the role have to be competent to perform the role. This usually means the checking of qualifications, training and / or experience.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 5.2 are
1. You have not documented the actual roles you require
You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.
2. You allocated a role to someone that no longer works here
Prior to the audit check that roles are assigned to people that actually work here. You will be surprised how often this trips people up. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no ‘comments’ in are all good practices.
FAQ
Yes. It is fine for 1 person to perform more than one role.
Possibly. It would be good practice to involve them for sure.
The roles required for ISO 27001 Annex A 5.2 include as a minimum:
CEO
Leadership Team
Information Security Leadership
Information Security Manager
Management Review Team
Third Party Supplier Manager
Business Continuity Manager
Information Owners
There are templates for ISO 27001 Annex A 5.2 located here.
ISO 27001 Annex A 5.2 Sample PDF can be download at High Table: The ISO 27001 Company.
Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.2. People and what they do are a fundamental part of any governance, risk and compliance framework. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.
Yes. You can write the roles and responsibilities for ISO 27001 Annex A 5.2 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.
ISO 27001 templates for ISO 27001 Annex A 5.2 are located in the ISO 27001 Toolkit
ISO 27001 Annex A 5.2 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend templates to fast track your implementation.
ISO 27001 Annex A 5.2 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the ISO 27001 Annex A 5.2 template
The cost of ISO 27001 Annex A 5.2 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a maybe £15/ £20.
Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 5.2:
Improved security: People will be allocated to required roles reducing the likelihood and impact of an attack
Reduced risk: Having people allocated and performing the required roles of the information security management system will reduce risk
Improved compliance: Standards and regulations require roles and responsibilities to be in place
Reputation Protection: In the event of a breach having roles and responsibilities defined and people allocated will reduce the potential for fines and reduce the PR impact of an event
ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities is important because an information security management system needs people to manage it.
It sets out what they are managing and by documenting it you make sure you are not missing something.
We build an effective management system by setting out what needs to be done and who is doing it and we make sure people are competent to do what is being asked.
The senior leadership team is responsible for the roles and responsibilities. They are best placed to allocate the required resources and sign off any investments required in terms of training, finance, new head count or extra duties for existing staff.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Identify | Governance | Governance and Ecosystem |
| Integrity | Resilience | |||
| Availability | Protection |