ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

Home / ISO 27001 Clauses / ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

To implement an information security management system (ISMS) you are going to have roles that need to be in place and you are going to need to assign people to those roles.

In this ultimate guide to ISO 27001:2022 Clause 5.3 Organisational Roles, Responsibilities and Authorities you will learn

  • What ISO 27001 Clause 5.3 is
  • How to implement it
  • Example Roles and Responsibilities

What is it?

ISO 27001 Clause 5.3 is an ISO 27001 control that requires you to define roles and responsibilities relevant to your information security management system (ISMS) and allocate them to people.

Purpose

The purpose of ISO 27001 clause 5.3 is to make sure you have defined, assigned and communicated the roles and responsibilities that you need to run your information security management system to people. This will ensure that the management system is effective.

Definition

The ISO 27001 standard defines ISO 27001:2022 clause 5.3 as:

Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this document
b) reporting on the performance of the information security management system to top management.

ISO 27001:2022 Clause 5.3 Organisational roles, responsibilities and authorities

Requirement

The requirement for ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this in the ISO 27001 Roles and Responsibilities document.

We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.

Implementation Guide

Identify the roles that you need

You identify the roles that you need to implement, run and manage your information security management system. To do this you would either take a list of known roles or you would work out what needs doing and the roles that you need to support that.

Example roles and responsibilities in the information security management system include:

  • CEO
  • senior leadership team
  • management team
  • information security manager
  • business continuity manager
  • third party supplier manager
  • Management Review Team

Assign the Management Review Team

The Management Review Team should be made up of one representative of each of the in scope areas and those representatives should have an assigned deputy. In addition, at least one member of the senior management team and leadership team is part of this Management Review Team.

Document the Management Review Team in the Information Security Roles Assigned and Responsibilities and document that it has responsibility for overseeing the Information Security Management System.

This group reports to the board and has board representation and certain board designated authority for decision making.

The Management Review Team meeting should meet at least quarterly and follow the agenda as defined in the standard.

Typical duties of the Management Review Team include:

  • Approval and sign off of policy
  • Approval and sign off of processes
  • Risk Management Oversight
  • Continual Improvement Oversight
  • Performance Evaluation of the Information Security Management System (ISMS)

Allocate people to roles

For each of the roles that you have identified that you need you will allocate that role to someone in the organisation. Roles can be assigned to people outside the organisation if it is practicable and applicable to you.

Here you will take note to ensure that the people that you allocate are competent to perform the role (ISO 27001 Clause 7.2 Competence) and that you have not introduced any conflict of interest (ISO 27001 Annex A Control 5.3 Segregation of duties)

Document Roles and Responsibilities

Document the Information Security Roles Assigned and Responsibilities and set out the roles and responsibilities with allocated resource.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

Implement Management Reviews

Implement a Management Review Team with representatives from across the business and ensure meetings follow the structured Management Review Team Agenda.

ISO 27001 Management Review Team Meeting Agenda Template

Document Competence

Document a Competency Matrix to capture the core competencies and training requirements of staff in relation to information security.

ISO 27001 Competency Matrix Template

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

The ISO 27001 Roles and Responsibilities document fully satisfies the requirements of ISO 27001 Clause 5.3 and is pre written with common examples. Available as individual download it is also part of the internationally best selling and award winning ISO 27001 Toolkit.

ISO 27001 Toolkit

ISO 27001 Clause 5.3 Training Video

Watch the ISO 27001 Clause 5.3 YouTube tutorial – How to Implement ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

How to pass an audit

To pass an audit of ISO 27001 Clause 5.3 you are going to

  • Decide what roles you need
  • Allocate roles to people
  • Ensure people are competent to perform the role
  • Implement a Management Review Team
  • Document it

What the auditor will check

The audit is going to check a number of areas for compliance with Clause 5.3. Lets go through them:

That you have documented roles and responsibilities

This is the easiest one for them to check. They want to see that roles and responsibilities have been defined and allocated. The easiest way is to use the ISO 27001 Roles and Responsibilities Template

The main roles they want to see documented are the information security manager and the management review team.

That people allocated are still in the organisation

This is an easy one for them as most people do not keep their documentation up to date and as a result there will be people documented as being allocated to roles that no longer work in the organisation.

That people are competent to perform the role

It isn’t enough to document and allocate roles. The roles that are allocated need to be allocated to people that are competent to perform the role. This not a tick box and documentation exercise, it is about getting the management system operating effectively with people that are experienced and know what they are doing.

FAQ

What are the ISO 27001:2022 Changes to Clause 5.3?

The changes to ISO 27001 clause 5.3 for the 2022 update are minor at best. Changing the word ‘International Standard’ to the word ‘document’ and adding clarification that communication is within the organisation as was always implied but never said out right. Nothing material.

Can one person hold more than one role?

Yes, as long as you take into account the requirement to remove conflict of interest and implement segregation of duty.

Who is responsible for ISO 27001 Clause 5.3

Senior management are responsible for ensuring that ISO 27001 Clause 5.3 is implemented and maintained.

What are the benefits of ISO 27001 Clause 5.3?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Annex A 5.3:
Improved security: You will have an effective information security management system that is being ran by people competent to perform the roles
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people with the relevant skills to ensure it is effective
Improved compliance: Standards and regulations require roles and responsibilities to be documented, in place and allocated to competent people.
Reputation Protection: In the event of a breach having effectively allocated people to the management system will reduce the potential for fines and reduce the PR impact of an event

How often are roles and responsibilities reviewed?

After any significant change to the organisation, any significant change to personel and at least annually.

How do you monitor the effectiveness of ISO 27001 Clause 5.3?

The approaches to monitoring the effectives of the ISO 27001 Clause 5.3 include:
Internal audit of the documented roles and responsibilities
External audit of the documented roles and responsibilities
Review of anomalies in operation of the information security management system (ISMS)

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing