What is ISO 27001 Clause 5.3, how to meet the requirements and downloadable ISO 27001 Clause 5.3 templates
What is ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities
Actually having roles and responsibilities defined and allocated is the purpose of this clause. In essence. There are many aspects of ISO 27001 that ISO templates can help with and indeed there are many ISO 27001 mandatory documents. We use the ISO 27001 templates to record and evidence this ISO 27001 clause.
What is the actual requirement of ISO 27001 Clause 5.3
The actual requirement is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this as part of the communication plan and the requirement of the clause.
We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.
How to satisfy ISO 27001 Clause 5.3
Document the Information Security Roles Assigned and Responsibilities and set out the roles and responsibilities with allocated resource.
Implement a Management Review Team with representatives from across the business and ensure meetings follow the structured Management Review Team Agenda.
Document a Competency Matrix to capture the core competencies and training requirements of staff in relation to information security
Document the Management Review Team in the Information Security Roles Assigned and Responsibilities and document that it has responsibility for overseeing the Information Security Management System. This group reports to the board and has board representation and certain board designated authority for decision making. The Management Review Team meeting should meet at least quarterly and follow the agenda as defined in the standard.