The ISO 27001 Clause 5.3 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 5.3 Roles and Responsibilities.
The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt.
With over 30 years industry experience I will show you the audit checklist used by professional ISO 27001 Lead Auditors for ISO 27001 certification.
I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit and this is the ISO 27001 Roles and Responsibilities audit checklist.
Defining Information Security Roles
Establish and document specific roles related to information security management.
Challenges
Ensuring all necessary roles are defined, avoiding duplication or gaps, and keeping roles up-to-date with organisational changes.
Audit Techniques
Review organisational charts, role descriptions, and responsibility matrices. Interview staff to understand their roles and responsibilities.
Assigning Responsibilities and Authorities
Clearly define the responsibilities and authorities associated with each information security role.
Challenges
Clearly delineating responsibilities and authorities, avoiding ambiguity, and ensuring individuals understand their remit.
Audit Techniques
Examine job descriptions, terms of reference, and documented responsibilities. Interview individuals in key roles to confirm their understanding of their responsibilities and authority levels.
Competence of Personnel
Ensure individuals assigned to information security roles have the necessary competence.
Challenges
Matching skills to roles, maintaining competence through training and experience, and addressing skills gaps.
Audit Techniques
Review training records, qualifications, and experience of personnel in information security roles. Interview staff about their training and development.
Communication of Roles and Responsibilities
Communicate information security roles, responsibilities, and authorities to relevant personnel.
Challenges
Ensuring all relevant staff are aware of their and others’ responsibilities, and maintaining effective communication channels.
Audit Techniques
Review communication plans, training materials, and internal newsletters. Interview staff about their understanding of roles and responsibilities.
Accountability for Information Security
Establish clear lines of accountability for information security.
Challenges
Clearly defining accountability, avoiding diffusion of responsibility, and ensuring individuals are held accountable.
Audit Techniques
Review organisational charts, reporting lines, and performance reviews. Interview senior management about how accountability is enforced.
Segregation of Duties
Implement appropriate segregation of duties to reduce the risk of fraud, errors, or other security breaches.
Challenges
Balancing segregation of duties with operational efficiency, especially in smaller organisations.
Audit Techniques
Review process documentation and access control lists. Interview staff about their responsibilities and access levels.
Management of Third-Party Roles
Define and manage the roles and responsibilities of third parties involved in information security.
Challenges
Managing third-party relationships effectively, ensuring alignment with the organisation’s security policies, and maintaining oversight.
Audit Techniques
Review contracts with third parties, service level agreements, and security assessments. Interview personnel responsible for managing third-party relationships.
Reporting Lines
Establish clear reporting lines for information security roles.
Challenges
Ensuring reporting lines are effective and that information flows appropriately to top management.
Audit Techniques
Review organisational charts and reporting structures. Interview staff about reporting lines and communication channels.
Review of Roles and Responsibilities
Regularly review and update information security roles and responsibilities.
Challenges
Keeping roles and responsibilities up-to-date with organisational changes, new threats, and evolving best practices.
Audit Techniques
Examine the process for reviewing and updating roles and responsibilities. Check review frequency and evidence of updates.
Documentation of Roles and Responsibilities
Maintain documented information about information security roles, responsibilities, and authorities.
Challenges
Keeping documentation current, accessible, and version controlled.
Audit Techniques
Inspect the documented information for completeness, accuracy, and clarity. Check version control and document accessibility.
Further Reading
ISO 27001 Clause 5.3 Roles and Responsibilities
