Information security is like a team sport where everyone has a job to do to keep data safe. ISO 27001 is a set of rules that helps organisations manage their information security. It’s not a single person’s job; it needs different people to do different things.
Examples
- CEO or Board of Directors: They make sure the company cares about security. They give the green light for security projects and make sure there’s enough money and people to do the work.
- Information Security Manager: This person is like the coach of the security team. They plan and lead the security efforts and make sure everyone follows the rules.
- IT Department: These are the people who build and fix the technology. They put security rules into action on computers and networks, like setting up firewalls and strong passwords.
- Employees: Everyone in the company has a role. They must follow security rules, like not sharing their passwords and being careful with emails that seem suspicious.
Context
Assigning clear roles and responsibilities is important because it avoids confusion. When everyone knows what they’re supposed to do, security becomes a part of daily work. This makes the company’s data and systems much safer. The ISO 27001 standard requires organisations to define who is responsible for what so that security is managed well.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to Information Security Roles and Responsibilities:
- ISO 27001:2022 Annex A 5.2 Roles and Responsibilities: This is the main ISO 27001 control for information Security Roles and Responsibilities.
- ISO 27001:2022 Clause 5.3: Organisational Roles, Responsibilities and Authorities: This is the management system requirement for roles and responsibilities.
- ISO 27001:2022 Clause 7.2: Competence: This control requires people to have the experience and skills required to perform their role.
