ISO 27001:2022

ISO 27001 Organisation Controls

ISO 27001 Annex A 5.1: Policies for information security

ISO 27001 Annex A 5.2: Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3: Segregation of duties

ISO 27001 Annex A 5.4: Management responsibilities

ISO 27001 Annex A 5.5: Contact with authorities

ISO 27001 Annex A 5.6: Contact with special interest groups

ISO 27001 Annex A 5.7: Threat intelligence

ISO 27001 Annex A 5.8: Information security in project management

ISO 27001 Annex A 5.9: Inventory of information and other associated assets

ISO 27001 Annex A 5.10: Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11: Return of assets

ISO 27001 Annex A 5.12: Classification of information

ISO 27001 Annex A 5.13: Labelling of information

ISO 27001 Annex A 5.14: Information transfer

ISO 27001 Annex A 5.15: Access control

ISO 27001 Annex A 5.16: Identity management

ISO 27001 Annex A 5.17: Authentication information

ISO 27001 Annex A 5.18: Access rights

ISO 27001 Annex A 5.19: Information security in supplier relationships

ISO 27001 Annex A 5.20: Addressing information security within supplier agreements

ISO 27001 Annex A 5.21: Managing information security in the ICT supply chain

ISO 27001 Annex A 5.22: Monitoring, review and change management of supplier services

ISO 27001 Annex A 5.23: Information security for use of cloud services

ISO 27001 Annex A 5.24: Information security incident management planning and preparation

ISO 27001 Annex A 5.25: Assessment and decision on information security events

ISO 27001 Annex A 5.26: Response to information security incidents

ISO 27001 Annex A 5.27: Learning from information security incidents

ISO 27001 Annex A 5.28: Collection of evidence

ISO 27001 Annex A 5.29: Information security during disruption

ISO 27001 Annex A 5.30: ICT readiness for business continuity

ISO 27001 Annex A 5.31: Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32: Intellectual property rights

ISO 27001 Annex A 5.33: Protection of records

ISO 27001 Annex A 5.34: Privacy and protection of PII

ISO 27001 Annex A 5.35: Independent review of information security

ISO 27001 Annex A 5.36: Compliance with policies and standards for information security

ISO 27001 Annex A 5.37: Documented operating procedures

ISO 27001 Technical Controls

ISO 27001 Annex A 8.1: User Endpoint Devices

ISO 27001 Annex A 8.2: Privileged Access Rights

ISO 27001 Annex A 8.3: Information Access Restriction

ISO 27001 Annex A 8.4: Access To Source Code

ISO 27001 Annex A 8.5: Secure Authentication

ISO 27001 Annex A 8.6: Capacity Management

ISO 27001 Annex A 8.7: Protection Against Malware

ISO 27001 Annex A 8.8: Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9: Configuration Management 

ISO 27001 Annex A 8.10: Information Deletion

ISO 27001 Annex A 8.11: Data Masking

ISO 27001 Annex A 8.12: Data Leakage Prevention

ISO 27001 Annex A 8.13: Information Backup

ISO 27001 Annex A 8.14: Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15: Logging

ISO 27001 Annex A 8.16: Monitoring Activities

ISO 27001 Annex A 8.17: Clock Synchronisation

ISO 27001 Annex A 8.18: Use of Privileged Utility Programs

ISO 27001 Annex A 8.19: Installation of Software on Operational Systems

ISO 27001 Annex A 8.20: Network Security

ISO 27001 Annex A 8.21: Security of Network Services

ISO 27001 Annex A 8.22: Segregation of Networks

ISO 27001 Annex A 8.23: Web Filtering

ISO 27001 Annex A 8.24: Use of Cryptography

ISO 27001 Annex A 8.25: Secure Development Life Cycle

ISO 27001 Annex A 8.26: Application Security Requirements

ISO 27001 Annex A 8.27: Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28: Secure Coding

ISO 27001 Annex A 8.29: Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30: Outsourced Development

ISO 27001 Annex A 8.31: Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32: Change Management

ISO 27001 Annex A 8.33: Test Information

ISO 27001 Annex A 8.34: Protection of information systems during audit testing

Home / ISO 27001 Clauses / The Ultimate Guide to ISO 27001:2022 Clause 5.3: Organisational Roles, Responsibilities and Authorities

The Ultimate Guide to ISO 27001:2022 Clause 5.3: Organisational Roles, Responsibilities and Authorities

Last updated Sep 17, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Roles and Responsibilities

ISO 27001 Roles and Responsibilities is the requirement to identify and manage the roles and responsibilities that you need to run your information security management system.

In ISO 27001 this is known as ISO27001:2022 Clause 5.3: Organisational Roles, Responsibilities and Authorities. It is one of the mandatory ISO 27001 clauses.

To implement an information security management system (ISMS) you are going to have roles that need to be in place and you are going to need to assign people to those roles.

Key Takeaways

  • Mandatory Requirement: Clause 5.3 is a mandatory part of the ISO 27001 standard that requires organisations to clearly define and assign roles, responsibilities, and authorities for their Information Security Management System (ISMS).
  • Key Roles: The clause necessitates assigning key information security responsibilities to specific individuals, such as the CEO, an Information Security Manager, and a Management Review Team, to ensure accountability.
  • Documentation is Crucial: For compliance, it’s essential to document all assigned roles, responsibilities, and authorities. Auditors will check for this documentation to verify that the organisation has a clear and well-defined structure for its ISMS.

What is ISO 27001 Clause 5.3?

ISO 27001 Clause 5.3 Roles and Responsibilities is an ISO 27001 control that requires you to define roles and responsibilities relevant to your information security management system (ISMS) and allocate them to people.

Purpose and Definition

The purpose of ISO 27001 clause 5.3 is to make sure you have defined, assigned and communicated the roles and responsibilities that you need to run your information security management system to people. This will ensure that the management system is effective.

The ISO 27001 standard defines ISO 27001 clause 5.3 as:

Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this document
b) reporting on the performance of the information security management system to top management.

ISO 27001:2022 Clause 5.3 Organisational roles, responsibilities and authorities

ISO 27001 Clause 5.3 Requirement

The requirement for ISO 27001 Clause 5.3 is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this in the ISO 27001 Roles and Responsibilities document.

We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.

ISO 27001 Toolkit

Typical ISO 27001 Roles and Their Responsibilities

To establish a robust and effective Information Security Management System (ISMS), it’s essential to define clear roles and responsibilities. This is a foundational element of a successful ISO 27001 implementation. The following section outlines the typical roles found within an ISMS and details the specific responsibilities each one holds, ensuring accountability and promoting a culture of information security across the organisation. This framework will help your organisation allocate tasks, manage resources, and align security efforts with strategic business objectives.

CEO

  • Sets the company direction for information security
  • Promotes a culture of information security aligned to the business objectives
  • Signs off and agrees on resources, objectives, risks and risk treatment

Information Security Management Leadership

  • A central point of ownership to oversee the information security management system effectiveness.

The Information Security Manager

  • Day to day operation of the information security management system
  • Develop and continually improve the information security management system documentation
  • Conduct a structured audit programme of all areas of the Information Security management system based on risk at least annually
  • Provide training and awareness to all staff on information security
  • Report to the management review team as part of the structured agenda, as a minimum covering audit results, incidents, new risk, update on assigned risks and continual improvements.
  • Manage the continual improvement process
  • Manage the periodic update and review of documentation
  • Attend and co-ordinate internal information security management audit
  • Manage the completion received third party questionnaires in relation to information security from suppliers and clients
  • Maintain or have access to a list of all security related incidents
  • Provide guidance and support on matters relating to information security

The Management Review Team

The management review team shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.


  • Signs off policies and documents related to the information security management system
  • Oversees the risk management process and risk register
  • Signs off and agrees / escalates risk mitigation for information security risks
  • Ensures resources are available to implement identified, agreed risk mitigation
  • Implements policies, processes and continual improvements of the information security management system
  • Reports on projects or internal and external factors that may influence the information security management system
  • Communicates information security to the organisation

The Third Party Manager

  • Ensures effective third-party management of all suppliers and third parties in line with the third-party management policies and processes
  • Owns the third-party supplier register
  • Reports progress on third party management as a minimum to the management review team

ISO 27001 Clause 5.3 Explained: A Complete Guide

For a complete visual guide to this process, check out our video tutorial:  How to Implement ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

How to implement ISO 27001 Clause 5.3: Step-By-Step

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 Clause 5.3 Roles and Responsibilities

  1. Identify the roles that you need

    You identify the roles that you need to implement, run and manage your information security management system. To do this you would either take a list of known roles or you would work out what needs doing and the roles that you need to support that. You are going to work with top management to make sure that you have defined the correct roles for information security.

  2. Document and record the roles and responsibilities

    Using the ISO 27001 Information Security Roles and Responsibilities Template make a record of the roles and responsibilities that you have agreed.

  3. Choose the of source of your resources

    You have the following options when assigning people to roles
    1. Get external resources
    2. Appoint someone internally
    3. Train someone

  4. Assign the information security manager

    Nominate someone to be the information security manager who will be responsible for the information security management system.

  5. Assign the Management Review Team

    The Management Review Team should be made up of one representative of each of the in scope areas and those representatives should have an assigned deputy. In addition, at least one member of the senior management team and leadership team is part of this Management Review Team. This group reports to the board and has board representation and certain board designated authority for decision making. Typical duties of the Management Review Team include:
    • Approval and sign off of policy
    • Approval and sign off of processes
    • Risk Management Oversight
    • Continual Improvement Oversight
    • Performance Evaluation of the Information Security Management System (ISMS)

  6. Allocate people to roles

    With the roles and responsibilities defined and documented it is now time to allocate people to those roles. In a small organisation it may well be the case that one individual is assigned more than one role and that is absolutely fine. The only requirements is to maintain segregation of duties, which is covered in detail in ISO 27001 Annex A 5.3 Segregation of duties. You must ensure that the people you assign are competent to take on the roles and that you have not introduced any conflict of interest (ISO 27001 Annex A Control 5.3 Segregation of duties).

  7. Document who is assigned to what role

    Document who is doing what role and using the ISO 27001 RASCI Matrix Template assign accountability and responsibility for each ISO 27001 Clause and each ISO 27001 Annex A control.

  8. Manage Competence

    Using the ISO 27001 competence matrix record the level of competence for each person and follow the process of training to ensure that competence is maintained.

How can an ISO 27001 Toolkit help with ISO 27001 Clause 5.3?

For ISO 27001 Clause 5.3 Roles and Responsibilities the entire ISO 27001 toolkit is relevant but in particular the following templates directly support this ISO 27001 clause:

ISO 27001 Roles and Responsibilities Template

Document the Information Security Roles Assigned and Responsibilities and set out the roles and responsibilities with allocated resource.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

ISO 27001 Management Review Template

Implement a Management Review Team with representatives from across the business and ensure meetings follow the structured Management Review Team Agenda.

ISO 27001 Management Review Team Meeting Agenda Template

ISO 27001 Competence Template

Document a Competency Matrix to capture the core competencies and training requirements of staff in relation to information security.

ISO 27001 Competency Matrix Template

How to audit ISO 27001 clause 5.3

This audit checklist is a guide on how to conduct an internal audit of ISO 27001clause 5.3 Roles and Responsibilities based on what the ISO 27001 certification auditor will audit. It gives practical audit tips including what to audit and how.

1. Review Role Definitions

Examine documented role descriptions, job descriptions, or RACI matrices to verify that key information security roles are defined. Check for clarity and completeness in defining responsibilities and authorities.

Audit Technique: Document review.

2. Verify Role Assignment

Confirm that individuals have been assigned to the defined information security roles. Check for evidence of appointment letters, contracts, or other formal assignments.

Audit Technique: Document review, interviews with HR.

3. Assess Clarity of Responsibilities

Evaluate whether the responsibilities for each role are clearly defined and unambiguous. Look for potential overlaps or gaps in responsibilities.

Audit Technique: Document review, interviews with individuals in key roles.

4. Check Alignment of Authority and Responsibility

Determine if individuals have been granted the necessary authority to perform their assigned responsibilities. Ensure that the level of authority matches the level of responsibility.

Audit Technique: Interviews with individuals in key roles, review of organisational charts or reporting structures.

5. Evaluate Communication of Roles and Responsibilities

Verify that roles and responsibilities have been communicated effectively to all relevant personnel. Look for evidence of training, briefings, or other communication methods.

Audit Technique: Interviews with employees at different levels, review of training records.

6. Assess Understanding of Roles

Conduct interviews with individuals in key roles to assess their understanding of their own responsibilities and the responsibilities of others.

Audit Technique: Interviews with individuals in key roles.

7. Examine Integration with ISMS Processes

Verify that defined roles are integrated into the ISMS processes, such as risk assessment, incident management, and internal audit. Check for documented involvement of specific roles in these processes.

Audit Technique: Review of process documentation, interviews with process owners.

8. Review Regularity of Role Reviews

Check if the organisation has a process for regularly reviewing the defined roles and responsibilities to ensure their continued relevance and effectiveness.

Audit Technique: Review of documented review process, interviews with management.

9. Assess Handling of Performance Gaps

Verify that the organisation has a process in place to address performance gaps related to information security responsibilities. Look for evidence of performance reviews, feedback mechanisms, and corrective actions.

Audit Technique: Interviews with HR and management, review of performance records.

10. Check Organisational Structure

Review the organisational structure to ensure that information security roles have appropriate reporting lines and that there is clear accountability for information security.

Audit Technique: Review of organisational charts, interviews with top management.

How to pass the ISO 27001 Clause 5.3 audit

To pass an audit of ISO 27001 Clause 5.3 Roles and Responsibilities you are going to

  • Decide what roles you need
  • Allocate roles to people
  • Ensure people are competent to perform the role
  • Implement a Management Review Team
  • Document it

What an auditor looks for

The audit is going to check a number of areas for compliance with ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities. Lets go through them:

1. That you have documented roles and responsibilities

This is the easiest one for them to check. They want to see that roles and responsibilities have been defined and allocated. The easiest way is to use the ISO 27001 Roles and Responsibilities Template

The main roles they want to see documented are the information security manager and the management review team.

2. That people allocated are still in the organisation

This is an easy one for them as most people do not keep their documentation up to date and as a result there will be people documented as being allocated to roles that no longer work in the organisation.

3. That people are competent to perform the role

It isn’t enough to document and allocate roles. The roles that are allocated need to be allocated to people that are competent to perform the role. This not a tick box and documentation exercise, it is about getting the management system operating effectively with people that are experienced and know what they are doing.

ISO 27001 Clause 5.3: Organisational Roles, Responsibilities and Authorities FAQ

What are the ISO 27001:2022 Changes to Clause 5.3?

The changes to ISO 27001 clause 5.3 for the 2022 update are minor at best. Changing the word ‘International Standard’ to the word ‘document’ and adding clarification that communication is within the organisation as was always implied but never said out right. Nothing material.

What is the main purpose of Clause 5.3?

The main purpose is to prevent ambiguity and ensure accountability. By clearly defining who is responsible for what, an organisation can ensure that all necessary information security tasks are carried out, risks are managed, and the ISMS is maintained effectively. It’s the foundation for a well-governed ISMS.

Can one person hold more than one role?

Yes, absolutely. ISO 27001 is flexible. One person can hold multiple roles, especially in smaller organisations where resources are limited. The key is to ensure that the roles and responsibilities are clearly defined and that there are no conflicting duties. For example, the same person shouldn’t be responsible for both implementing a security control and independently auditing it.

Who is responsible for ISO 27001 Roles and Responsibilities

Top management is ultimately responsible for ensuring Clause 5.3 is implemented. This demonstrates their commitment and leadership in information security. While they don’t have to perform every task themselves, they must assign the responsibilities and authorities to the appropriate people or teams within the organisation.

What specific responsibilities must be assigned?

Clause 5.3 requires two key responsibilities to be assigned:
1. Ensuring the ISMS conforms to the ISO 27001 standard.
2. Reporting on the performance of the ISMS to top management.
3. These two roles are critical for the successful implementation and continuous improvement of the ISMS.

What are the benefits of ISO 27001 Roles and Responsibilities?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 5.3:
Improved security: You will have an effective information security management system that is being ran by people competent to perform the roles
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people with the relevant skills to ensure it is effective
Improved compliance: Standards and regulations require roles and responsibilities to be documented, in place and allocated to competent people.
Reputation Protection: In the event of a breach having effectively allocated people to the management system will reduce the potential for fines and reduce the PR impact of an event

How often are roles and responsibilities reviewed?

After any significant change to the organisation, any significant change to personel and at least annually.

How do we prove compliance with Clause 5.3 during an audit?

An auditor will look for documented evidence that:
1. Roles and responsibilities for the ISMS are clearly defined.
2. These roles have been assigned to specific individuals or teams.
3. The assignments have been formally communicated and are understood by employees.
4. The individuals assigned to these roles are competent to perform their duties. They may do this through interviews and reviewing your documentation.

How do you monitor the effectiveness of ISO 27001 Clause 5.3 Roles and Responsibilities?

The approaches to monitoring the effectives of the ISO 27001 Clause 5.3 include:
Internal audit of the documented roles and responsibilities
External audit of the documented roles and responsibilities
Review of anomalies in operation of the information security management system (ISMS)

Does Clause 5.3 require new job titles or hiring new staff?

No, it does not. The standard doesn’t require specific job titles like “CISO” or “Information Security Manager.” It requires that the responsibilities are assigned. These can be given to existing employees as an additional part of their current role, such as a CEO, IT manager, or department head.

What’s the difference between “roles,” “responsibilities,” and “authorities”?

Roles are the functions or positions within the organisation (e.g., IT Manager, Chief Information Security Officer).
Responsibilities are the specific duties or tasks associated with a role (e.g., conducting risk assessments, managing access controls).
Authorities are the permissions or decision-making power granted to a role to carry out their responsibilities (e.g., the authority to approve a new security policy or allocate budget for security tools).

How should these roles and responsibilities be documented?

They should be documented in a way that is clear and easily accessible to all relevant parties. Common documentation methods include:
1. An organisational chart.
2. Job descriptions.
3. A Responsibility Assignment Matrix (like a RACI chart).
4. The Information Security Policy or other formal procedures.

What happens if we don’t define and communicate these roles?

Without a clear framework, security responsibilities can fall through the cracks, leading to:
1. Gaps in controls: No one is assigned to manage specific security measures.
2. Ineffective incident response: Confusion about who should handle a security breach.
3 .Audit non-conformance: Auditors will identify the lack of a clear governance structure as a major issue, potentially leading to a failed certification.

ISO 27001 Annex A 5.2: Roles and Responsibilities

ISO 27001 Annex A 5.4: Management Responsibilities

ISO 27001 Amex A 5.5: Contact With Authorities

ISO 27001 Clause 7.2: Competence

ISO 27001 Clause 9.3: Management Review

Further Reading

ISO 27001 Competency Matrix Beginner’s Guide

How to conduct an ISO 27001 Management Review Meeting

ISO 27001 Roles and Responsibilities Explained

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.