ISO 27001 Clause 5.3 Roles and Responsibilities

Home / ISO 27001 Clauses / ISO 27001 Clause 5.3 Roles and Responsibilities

ISO 27001 Roles and Responsibilities
Implementation Guide
Implementation Checklist
Audit Checklist
Example ISO 27001 Roles
Example ISO 27001 Responsibilities and Responsibilities
ISO 27001 Templates
Watch the Tutorial
How to pass the audit
What the auditor will check
ISO 27001 Clause 5.3 FAQ
Further Reading

ISO 27001 Roles and Responsibilities

To implement an information security management system (ISMS) you are going to have roles that need to be in place and you are going to need to assign people to those roles.

What is ISO 27001 Clause 5.3?

ISO 27001 Clause 5.3 Roles and Responsibilities is an ISO 27001 control that requires you to define roles and responsibilities relevant to your information security management system (ISMS) and allocate them to people.

ISO 27001 Clause 5.3 Purpose

The purpose of ISO 27001 clause 5.3 is to make sure you have defined, assigned and communicated the roles and responsibilities that you need to run your information security management system to people. This will ensure that the management system is effective.

ISO 27001 Clause 5.3 Definition

The ISO 27001 standard defines ISO 27001 clause 5.3 as:

Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this document
b) reporting on the performance of the information security management system to top management.

ISO 27001:2022 Clause 5.3 Organisational roles, responsibilities and authorities

ISO 27001 Roles and Responsibilities Requirement

The requirement for ISO 27001 Clause 5.3 is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this in the ISO 27001 Roles and Responsibilities document.

We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit

Implementation Guide

Identify the roles that you need

You identify the roles that you need to implement, run and manage your information security management system. To do this you would either take a list of known roles or you would work out what needs doing and the roles that you need to support that.

You are going to work with top management to make sure that you have defined and allocated roles and responsibilities for information security.

The first step is for you to nominate someone to be the information security manager who will be responsible for the information security management system.

Allocate people to roles

With the roles and responsibilities defined and documented it is now time to allocate people to those roles. Roles can be assigned to people outside the organisation if it is practicable and applicable to you.

In a small organisation it may well be the case that one individual is assigned more than one role and that is absolutely fine.

The only requirements is to maintain segregation of duties, which is covered in detail in ISO 27001 Annex A 5.3 Segregation of duties.

You have the following options when assigning people

Get external help
Appoint someone internally
Train someone

You must ensure that the people you assign are competent to take on the roles and that you have not introduced any conflict of interest (ISO 27001 Annex A Control 5.3 Segregation of duties)

Assign the Management Review Team

A management review team has certain responsibilities within the management system.

Document the Management Review Team in the Information Security Roles Assigned and Responsibilities and document that it has responsibility for overseeing the Information Security Management System.

The Management Review Team should be made up of one representative of each of the in scope areas and those representatives should have an assigned deputy. In addition, at least one member of the senior management team and leadership team is part of this Management Review Team.

This group reports to the board and has board representation and certain board designated authority for decision making.

The Management Review Team meeting should meet at least quarterly and follow the agenda as defined in the standard.

Further guidance is provided in the guide How to conduct an ISO 27001 Management Review Meeting.

Typical duties of the Management Review Team include:

Approval and sign off of policy
Approval and sign off of processes
Risk Management Oversight
Continual Improvement Oversight
Performance Evaluation of the Information Security Management System (ISMS)

Manage Competence

To manage competence you will complete an ISO 27001 competence matrix.

This is for every member of the management structure, for everybody that’s involved in Information Security Management and its delivery. It will cover everybody documented in the roles and responsibilities document and in the ISO 27001 RASCI Matrix

The basic concept of a Competency Matrix is you are demonstrating that you have the competencies to run an effective management system. You will use it to plan training to address gaps.

Implementation Checklist

Roles and Responsibilities ISO 27001 Clause 5.3 Implementation Checklist:

Identify Key Roles

Determine the essential roles needed for effective ISMS implementation and operation. This includes roles like Information Security Manager, Data Owners, System Administrators, etc.

Challenge: Overlooking crucial roles or creating unnecessary complexity.

Solution: Conduct a thorough analysis of the organisation’s information security needs and structure. Use a RACI matrix (Responsible, Accountable, Consulted, Informed) to define roles and their relationships.

Define Responsibilities for Each Role

Clearly define the specific responsibilities associated with each identified role. What are they expected to do?

Challenge: Vague or overlapping responsibilities, leading to confusion and gaps in coverage.

Solution: Document responsibilities in detail, using clear and concise language. Ensure that each responsibility is assigned to only one role to avoid ambiguity.

Assign Authorities to Match Responsibilities

Grant the necessary authority to individuals so they can effectively carry out their assigned responsibilities. Authority should match the level of responsibility.

Challenge: Giving responsibility without the corresponding authority, hindering performance.

Solution: Clearly define the limits of authority for each role. Ensure that individuals understand their authority levels and are empowered to act within those limits.

Document Roles, Responsibilities, and Authorities

Maintain documented information about the defined roles, responsibilities, and authorities. This can be in the form of job descriptions, role profiles, or a dedicated RACI matrix.

Challenge: Difficulty in keeping documentation up-to-date and accessible.

Solution: Use a centralised document management system to control versions and access. Establish a regular review process to ensure accuracy.

Communicate Roles and Responsibilities

Ensure that all relevant personnel are aware of their own roles and responsibilities, as well as those of others.

Challenge: Employees not understanding their roles or how they contribute to the ISMS.

Solution: Conduct training and awareness programs to communicate roles and responsibilities. Make the documentation easily accessible.

Provide Training and Competence Development

Ensure that individuals have the necessary skills and knowledge to fulfil their assigned responsibilities.

Challenge: Lack of skilled personnel or difficulty in providing adequate training.

Solution: Conduct skills gap analysis and develop training plans to address identified gaps. Provide opportunities for professional development and certifications.

Integrate Roles into ISMS Processes

Ensure that defined roles are integrated into the ISMS processes, such as risk assessment, incident management, and internal audit.

Challenge: Roles not being actively involved in ISMS processes.

Solution: Clearly define the involvement of each role in relevant processes. Include roles in process documentation and training.

Regularly Review Roles and Responsibilities

Periodically review the defined roles and responsibilities to ensure they remain relevant and effective. Business needs and the ISMS itself evolve.

Challenge: Roles becoming outdated or not aligned with current needs.

Solution: Conduct regular reviews, at least annually or more frequently as needed. Involve key stakeholders in the review process.

Address Performance Gaps

Have a process in place to address performance gaps related to information security responsibilities.

Challenge: Difficulty in addressing performance issues or lack of clear performance expectations.

Solution: Establish clear performance expectations for each role. Provide regular feedback and coaching. Implement a performance management process to address performance gaps.

Maintain Organisational Structure Chart

While not strictly required by 27001, a high-level organisational chart showing reporting lines for key security roles can be beneficial.

Challenge: Keeping the organisational chart current, especially in dynamic environments.

Solution: Assign responsibility for maintaining the organisational chart. Integrate updates into the change management process.

Audit Checklist

The following is a summary of the ISO 27001 Clause 5.3 Audit Checklist:

Review Role Definitions

Examine documented role descriptions, job descriptions, or RACI matrices to verify that key information security roles are defined. Check for clarity and completeness in defining responsibilities and authorities.

Audit Technique: Document review.

Verify Role Assignment

Confirm that individuals have been assigned to the defined information security roles. Check for evidence of appointment letters, contracts, or other formal assignments.

Audit Technique: Document review, interviews with HR.

Assess Clarity of Responsibilities

Evaluate whether the responsibilities for each role are clearly defined and unambiguous. Look for potential overlaps or gaps in responsibilities.

Audit Technique: Document review, interviews with individuals in key roles.

Check Alignment of Authority and Responsibility

Determine if individuals have been granted the necessary authority to perform their assigned responsibilities. Ensure that the level of authority matches the level of responsibility.

Audit Technique: Interviews with individuals in key roles, review of organisational charts or reporting structures.

Evaluate Communication of Roles and Responsibilities

Verify that roles and responsibilities have been communicated effectively to all relevant personnel. Look for evidence of training, briefings, or other communication methods.

Audit Technique: Interviews with employees at different levels, review of training records.

Assess Understanding of Roles

Conduct interviews with individuals in key roles to assess their understanding of their own responsibilities and the responsibilities of others.

Audit Technique: Interviews with individuals in key roles.

Examine Integration with ISMS Processes

Verify that defined roles are integrated into the ISMS processes, such as risk assessment, incident management, and internal audit. Check for documented involvement of specific roles in these processes.

Audit Technique: Review of process documentation, interviews with process owners.

Review Regularity of Role Reviews

Check if the organization has a process for regularly reviewing the defined roles and responsibilities to ensure their continued relevance and effectiveness.

Audit Technique: Review of documented review process, interviews with management.

Assess Handling of Performance Gaps

Verify that the organization has a process in place to address performance gaps related to information security responsibilities. Look for evidence of performance reviews, feedback mechanisms, and corrective actions.

Audit Technique: Interviews with HR and management, review of performance records.

Check Organisational Structure

Review the organisational structure to ensure that information security roles have appropriate reporting lines and that there is clear accountability for information security.

Audit Technique: Review of organisational charts, interviews with top management.

Example ISO 27001 Roles

Example roles in the information security management system include:

CEO
senior leadership team
management team
information security manager
business continuity manager
third party supplier manager
Management Review Team

Example ISO 27001 Responsibilities and Responsibilities

Example roles and responsibilities in the information security management system include:

CEO

Sets the company direction for information security
Promotes a culture of information security aligned to the business objectives
Signs off and agrees on resources, objectives, risks and risk treatment

Information Security Management Leadership

A central point of ownership to oversee the information security management system effectiveness.

Information Security Manager

Day to day operation of the information security management system
Develop and continually improve the information security management system documentation
Conduct a structured audit programme of all areas of the Information Security management system based on risk at least annually
Provide training and awareness to all staff on information security
Report to the management review team as part of the structured agenda, as a minimum covering audit results, incidents, new risk, update on assigned risks and continual improvements.
Manage the continual improvement process
Manage the periodic update and review of documentation
Attend and co-ordinate internal information security management audit
Manage the completion received third party questionnaires in relation to information security from suppliers and clients
Maintain or have access to a list of all security related incidents
Provide guidance and support on matters relating to information security

Management Review Team

The management review team shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. 

Signs off policies and documents related to the information security management system
Oversees the risk management process and risk register
Signs off and agrees / escalates risk mitigation for information security risks
Ensures resources are available to implement identified, agreed risk mitigation
Implements policies, processes and continual improvements of the information security management system
Reports on projects or internal and external factors that may influence the information security management system
Communicates information security to the organisation

Third Party Management

Ensures effective third-party management of all suppliers and third parties in line with the third-party management policies and processes
Owns the third-party supplier register
Reports progress on third party management as a minimum to the management review team

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

The ISO 27001 Roles and Responsibilities document fully satisfies the requirements of ISO 27001 Clause 5.3 and is pre written with common examples. Available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.

ISO 27001 Roles and Responsibilities Template

Document the Information Security Roles Assigned and Responsibilities and set out the roles and responsibilities with allocated resource.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

ISO 27001 Management Review Template

Implement a Management Review Team with representatives from across the business and ensure meetings follow the structured Management Review Team Agenda.

ISO 27001 Management Review Team Meeting Agenda Template

ISO 27001 Competence Template

Document a Competency Matrix to capture the core competencies and training requirements of staff in relation to information security.

Watch the Tutorial

Watch the ISO 27001 tutorial – How to Implement ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

How to pass the audit

To pass an audit of ISO 27001 Clause 5.3 Roles and Responsibilities you are going to

Decide what roles you need
Allocate roles to people
Ensure people are competent to perform the role
Implement a Management Review Team
Document it

What the auditor will check

The audit is going to check a number of areas for compliance with Clause 5.3. Lets go through them:

That you have documented roles and responsibilities

This is the easiest one for them to check. They want to see that roles and responsibilities have been defined and allocated. The easiest way is to use the ISO 27001 Roles and Responsibilities Template

The main roles they want to see documented are the information security manager and the management review team.

That people allocated are still in the organisation

This is an easy one for them as most people do not keep their documentation up to date and as a result there will be people documented as being allocated to roles that no longer work in the organisation.

That people are competent to perform the role

It isn’t enough to document and allocate roles. The roles that are allocated need to be allocated to people that are competent to perform the role. This not a tick box and documentation exercise, it is about getting the management system operating effectively with people that are experienced and know what they are doing.

ISO 27001 Clause 5.3 FAQ

What are the ISO 27001:2022 Changes to Clause 5.3?

The changes to ISO 27001 clause 5.3 for the 2022 update are minor at best. Changing the word ‘International Standard’ to the word ‘document’ and adding clarification that communication is within the organisation as was always implied but never said out right. Nothing material.

Can one person hold more than one role?

Yes, as long as you take into account the requirement to remove conflict of interest and implement segregation of duty.

Who is responsible for ISO 27001 Roles and Responsibilities

Senior management are responsible for ensuring that ISO 27001 Clause 5.3 is implemented and maintained.

What are the benefits of ISO 27001 Roles and Responsibilities?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 5.3:
Improved security: You will have an effective information security management system that is being ran by people competent to perform the roles
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people with the relevant skills to ensure it is effective
Improved compliance: Standards and regulations require roles and responsibilities to be documented, in place and allocated to competent people.
Reputation Protection: In the event of a breach having effectively allocated people to the management system will reduce the potential for fines and reduce the PR impact of an event

How often are roles and responsibilities reviewed?

After any significant change to the organisation, any significant change to personel and at least annually.

How do you monitor the effectiveness of ISO 27001 Clause 5.3 Roles and Responsibilities?

The approaches to monitoring the effectives of the ISO 27001 Clause 5.3 include:
Internal audit of the documented roles and responsibilities
External audit of the documented roles and responsibilities
Review of anomalies in operation of the information security management system (ISMS)

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.