Bossing ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities – Beginner’s Guide

ISO 27002: 2022 Clause 5.2 Information Security Roles and Responsibilities

In this article we lay bare ISO 27001 Annex A 5.2  / ISO 27002: 2022 Clause 5.2 Information Security Roles and Responsibilities. A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.

Bossing ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities - A Beginners Guide-1-2

What is ISO 27001 Annex A 5.2?

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities is an ISO 27002: 2022 control that requires an organisation to define information security roles and responsibilities and allocate those to people.

ISO 27001 Annex A 5.2 Definition

The ISO 27001 standard defines Annex A 5.2 as:

Information security roles and responsibilities should be defined and allocated according to the organization needs.

ISO 27001 Annex A 5.2

ISO 27001 Annex A 5.2 Implementation Guide

You are going to have to

  • work out what roles you need
  • decide on what responsibilities those roles have
  • pick people in your organisation and assign those roles and responsibilities to them
  • document it
  • publish it
  • have them acknowledged by staff
  • review them at regular intervals

The absolute best way to do this is to use the Assigned Roles and Responsibilities template that has the roles and responsibilities already written out and all you have to do is put the names of the people in it.

If you are resolutely dead set on going through the pain of this yourself you are going to need copies of the relevant standards for information security, about 1week of your life dedicated to this and a lot, and I mean a lot, of patience.

You then need to work through those policies, and research organisational best practice, and work out exactly what roles you need. Then work out what responsibilities they should have. We fast tracked it in our template and can tell you it is a massive ball ache.

When you finally do implement it, depending on the size of your organisation, it is not uncommon for one person to hold more than one role.

You may be thinking, if it is one person doing all the work why do I need to document so many roles?

The short answer is because the ISO 27001 standard requires it and if you are going for ISO 27001 certification then you need it.

The longer answer is that as you grow, more people will take on these roles and spread the work load.

ISO 27001 Annex A 5.2 Templates

If you want to write these yourself I totally commend you. Maybe I also pity you in equal measure. These templates take 25 years of experience and distill it into amazing ISO 27001 templates of prewritten best practice awesomeness.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

How to comply with ISO 27001 Annex A 5.2

To comply with ISO 27001 Annex A 5.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Write a roles and responsibilities document
  • Set out what roles you have and the responsibilities those roles undertake
  • Create an organisation of the roles to show how they work together
  • Assign people to those roles and document when they were assigned
  • Review and approve the roles and reponsibilties document
  • Publish the roles and responsibilities document to a place everyone that needs to see them can see them
  • Plan to review your roles and responsibilities at least annually or if significant change occurs
  • Keep records of your review and the changes

How to pass an audit of ISO 27001 Annex A 5.1

To pass an audit of ISO 27001 Annex A 5.2 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

Top 3 Annex ISO 27001 A 5.2 Mistakes People Make

The top 3 Mistakes People Make For ISO 27001 Annex A 5.2 are

#1 You have not documented the actual roles you require

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.

#2 You allocated a role to someone that no longer works here

Prior to the audit check that roles are assigned to people that actually work here. You will be surprised how often this trips people up. Check!

#3 Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no ‘comments’ in are all good practices.

Why is ISO 27001 Annex A 5.2 Important?

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities is important because an information security management system needs people to manage it.

It sets our what they are managing and by documenting it you make sure you are not missing something.

We build an effective management system by setting out what needs to be done and who is doing it.

ISO 27001 Annex A 5.2 FAQ

We are a small team and 1 or 2 people do everything, is that ok?

Yes. It is fine for 1 person to perform more than one role.

Shouldn’t HR do this?

Possibly. It would be good practice to involve them for sure.

What roles are required for ISO 27001 Annex A 5.2?

The roles required for ISO 27001 Annex A 5.2 include as a minimum:
CEO
Leadership Team
Information Security Leadership
Information Security Manager
Management Review Team
Third Party Supplier Manager
Business Continuity Manager
Information Owners

Are there free templates for ISO 27001 Annex A 5.2?

There are templates for ISO 27001 Annex A 5.2 located here: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/

Do I have to satisfy ISO 27001 Annex A 5.2 for ISO 27001 Certification?

Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.2. People and what they do are a fundamental part of any governance, risk and compliance framework. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.

Can I write roles and responsibilities for ISO 27001 Annex A 5.2 myself?

Yes. You can write the roles and responsibilities for ISO 27001 Annex A 5.2 yourself. You will need a copy of the standard and approximately 1 week of time to do it. It would be advantageous to have a background in information security management systems.

Where can I get templates for ISO 27001 Annex A 5.2?

ISO 27001 templates for ISO 27001 Annex A 5.2 are located here: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/

How hard is ISO 27001 Annex A 5.2?

ISO 27001 Annex A 5.2 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend templates to fast track your implementation.

How long will ISO 27001 Annex A 5.2 take me?

ISO 27001 Annex A 5.2 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the template: https://hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/

How much will ISO 27001 Annex A 5.2 cost me?

The cost of ISO 27001 Annex A 5.2 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template then you are looking at a maybe £15/ £20.

See Also

Reference

ISO/IEC 27001 Information Security Management

ISO 27001 Strategy Session
ISO 27001 ISO 27001 Toolkit
ISO 27001 Policy Bundle

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Stuart Barker

About the Author

Stuart Barker

Stuart is an ISO 27001 Consultant and author of the ISO 27001 Templates Toolkit. Over 20 years he has helped hundreds of organisations with the ISO 27001 standard and getting them ISO 27001 certification with a 100% success rate.

Shopping Cart