In this article we lay bare ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
What is ISO 27001 Clause 5.3?
Actually having roles and responsibilities defined and allocated is the purpose of this clause. In essence. There are many aspects of ISO 27001 that ISO templates can help with and indeed there are many ISO 27001 mandatory documents. We use the ISO 27001 templates to record and evidence this ISO 27001 clause.
What is the requirement of ISO 27001 Clause 5.3?
The actual requirement is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this as part of the communication plan and the requirement of the clause.
We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.
ISO 27001 Clause 5.3 Definition
The ISO 27001 standard defines clause 5.3 as:
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this International Standard; and”ISO 27001 Clause 5.3
b) reporting on the performance of the information security management system to top management.
ISO 27001 Clause 5.3 Implementation Guide
Document the Information Security Roles Assigned and Responsibilities and set out the roles and responsibilities with allocated resource.
Implement a Management Review Team with representatives from across the business and ensure meetings follow the structured Management Review Team Agenda.
Document a Competency Matrix to capture the core competencies and training requirements of staff in relation to information security
Document the Management Review Team in the Information Security Roles Assigned and Responsibilities and document that it has responsibility for overseeing the Information Security Management System. This group reports to the board and has board representation and certain board designated authority for decision making. The Management Review Team meeting should meet at least quarterly and follow the agenda as defined in the standard.
ISO 27001 Certification Requirements
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO 27001 Controls