ISO 27002 Roles and Responsibilities – Control 5.2

Home / ISO 27002 Explained / ISO 27002 Roles and Responsibilities – Control 5.2

ISO 27002 Roles and Responsibilities

Defining and assigning roles and responsibilities for information security is essential for implementing and running an Information Security Management System (ISMS)

Clearly defined roles and responsibilities ensure that individuals know what is expected of them, promoting accountability for information security within the organisation.  .

What is ISO 27002:2022 Control 5.2?

ISO 27002 Control 5.2 Protection of Information Systems During Audit Testing provides implementation guidance on how to implement ISO 27001 Annex A 5.2.

Definition of ISO 27002 Control 5.2

ISO 27002 defines ISO 27002 Control 5.2 as – Information security roles and responsibilities must be defined and assigned based on the specific needs of the organisation.

Purpose of ISO 27002 Control 5.2

This is a preventive control designed to establish a clear, approved, and understood framework for implementing, operating, and managing information security within the organisation.

Ownership of ISO 27002 Control 5.2

The Information Security Manager, in collaboration with HR and senior leadership is responsible for defining and assigning information security roles and responsibilities.

Compliance Guidance

Information security roles and responsibilities must be assigned in accordance with the established information security policy and relevant topic-specific policies (see ISO 27002 Control 5.1).

The organisation must clearly define and manage responsibilities for:

  • Protecting information and related assets.
  • Carrying out specific information security processes.
  • Managing information security risks, including the acceptance of residual risks (e.g., by risk owners).
  • Ensuring the secure use of organisational information and related assets by all personnel.

These responsibilities may be further supplemented with more detailed guidance for specific locations and information processing facilities.

Individuals with assigned security responsibilities may delegate tasks to others, but they remain ultimately accountable for the successful completion of these tasks.

Each security area with assigned responsibilities must be clearly defined, documented, and communicated to all relevant personnel. Authorisation levels for each role must also be defined and documented.

Individuals fulfilling information security roles must possess the necessary knowledge and skills. The organisation must provide ongoing support to ensure these individuals maintain the required competencies.

Supplementary Guidance on ISO 27002 Control 5.2

Many organisations designate an information security manager to lead the development and implementation of information security measures, including risk identification and mitigation strategies. However, the responsibility for allocating resources and implementing specific controls often falls on individual department managers. A common approach is to assign an “asset owner” to each critical asset, making them accountable for its day-to-day security. The allocation of information security responsibilities varies depending on the organisation’s size and available resources. In some cases, dedicated information security roles are established, while in others, security duties are integrated into existing job responsibilities.

Changes and Differences to ISO 27002:2013

While the 2022 version of ISO 27002 retains many similarities to its predecessor, distinctions emerge:

Control 5.2 in ISO 27002:2022 is essentially an updated version of control 6.1.1 in the 2013 edition. While the core principle of defining and assigning information security roles and responsibilities remains unchanged, the 2022 version introduces several key refinements:

Enhanced Guidance

Control 5.2 in 2022 provides more specific guidance on the responsibilities of individuals in information security roles, emphasising the importance of ongoing professional development and ensuring they possess the necessary knowledge and skills. This aspect was not explicitly mentioned in the 2013 version.

Concise Implementation Guidelines

The 2022 version offers more concise and focused implementation guidelines. It emphasises responsibilities for:

  • Protecting information and associated assets.
  • Executing specific security processes.
  • Managing information security risks, including risk acceptance.
  • Ensuring the secure use of information by all personnel.

Focus on Risk Management

The 2022 version explicitly highlights the role of individuals in information security risk management activities, particularly in accepting residual risks.

Key Similarities

Both versions acknowledge the importance of:

  • Clearly defining and assigning information security roles and responsibilities.
  • Potentially appointing an Information Security Manager to oversee information security activities.

In summary

While building upon the foundation of the 2013 version, Control 5.2 in ISO 27002:2022 provides more specific guidance, emphasises the importance of ongoing professional development, and strengthens the focus on risk management..

ISO 27002 Control 5.2 FAQ

What is the difference between ISO 27001 Annex A 5.2 and ISO 27002 Control 5.2?

ISO 27001 Annex A 5.2 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 5.2 is the implementation guidance for the control.

Is Protection of Information Systems During Audit Testing required for ISO 27001 certification?

Yes, Protection of Information Systems During Audit Testing is a required information security control for ISO 27001 certification.

ISO 27002 Control 5.2 Attributes Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityIdentifyGovernanceGovernance and Ecosystem
IntegrityResilience
Availability

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools