I’m the ISO27001 Ninja and in this blog we’re going to take a super deep dive into ISO27001 clause 5.3 organisational roles responsibilities and authorities. How exciting is that? Strap yourselves in, let’s go!
Right, so we’re going to look at what it is, what you need to do about it, what an audit is going to look for, top three mistakes that you make, usual, usual uh and hopefully provide you some value add so that you can pass this darn certification for 27001.
Right, so what we’re going to do is, we’re going to start off with the book definition.
We always start off with the book definition, then you know what we’re dealing with.
ISO27001 clause 5.3 definition. The standard defines ISO27001 clause 5.3 as – “top management shall ensure the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation. Top management shall assign the responsibility and authority for ensuring that the information security management system conforms to the requirements of this document and reporting on the performance of the information security management system to top management”.
What that means in practice
Okay, so what is it that we’re looking at here? We’re looking at basically the standard is saying – “yo! Top management! this is your responsibility for accountability but give it to someone to do and make sure that whoever you give it to reports back to you so you know what it is that they’re doing.”
Right we’ve discussed this a number of times right, ISO27001 as a standard is only 10 pages of valuable content and that is the maximum amount of guidance that you’re going to get. Thankfully through decades of implementation and audits I know what it is that the audit is going to be looking for and actually we can expand on that a little bit further. So the standard wants us to assign the responsibility to somebody, put some authority behind them, so that they can make sure that we’re meeting the standard.
What is it that I would do? Well when it comes to the standard the first thing I would do is I would buy the Ultimate ISO27001 Toolkit that includes everything that you need. The most ruthlessly effective, the most aggressively priced, cheapest, ISO27001 toolkit on the market, that includes everything that you need but failing that, what else would I do?
First of all I would complete my roles and responsibilities document. Yes there is a template for that. If I haven’t got a template, what do I need? Or what is included in the template? Well what you have is you have specific roles when it comes to an information security management system.
Example roles and responsibilities in the information security management system include:
- You’ve got the role of the CEO,
- the role of the senior leadership team,
- you’ve got the role of management,
- you’ve got the role of the information security manager,
- you’re going to have the role of the business continuity manager,
- there is the role of the Management Review Team
- the third party supplier manager
- etc, etc.
So, what you’re going to do is you’re going to have a document that sets out the roles that make up your information security management system and then explains what it is that that role does.
Once you’ve got that document in place you’re then going to assign people to those roles. Now in a small organisation it may well be the case that one individual is assigned more than one role and that is absolutely fine. What we’re looking at trying to do is maintain a level of segregation of duties, we’re trying to remove conflicts by having segregation. So if you find that that is being introduced and you are too small to have it any other way then the way that you’re going to solve that is by having a risk register item and then managing that through risk and we’ll discuss that on another topic and another blog but you’re going to have your roles and responsibilities document and you’re going to have that roles and responsibilities document populated with the people that are doing the work.
Management Review Team
The next thing that I’m going to do is I’m going to introduce the structure of a management review team. A management review team as part of my roles and responsibilities has certain responsibilities within the management system. One of those is about overseeing the policies, about overseeing the program, about overseeing the work and also about reporting back to senior leadership and senior management the progress, the status, the ongoing implementation and where we are within our ISO27001.
So, I’m going to get my management review team together. How am I going to get my management review team together?
I’m going to pick at least one individual from each operational area of the business, at least one operational individual. The reason I’m going to do that is we need to communicate and we need to bring people on a journey with us, so we want everybody within our organisation involved. Taking one individual from each operational area will help with that.
What I’m also going to do is ask them to assign a deputy. What we want is a deputy for each of the management review team members that has the authority to sign things off on their behalf. One of your worst case scenarios is that you operate a management review structure that has accountability, responsibility, reporting responsibility and then people don’t turn up. Something inevitably, it’s usually the negative, something inevitably goes wrong and then they say – “oh but I wasn’t there, I didn’t know anything about it” – well what we’re going to do is we’re going to make sure you have a deputy so that somebody is there.
I’m going to assign my management review team and I’m going to make sure that my management review team meets on a monthly basis, at least and up to our certification audit and ideally continues to meet monthly for the first year of implementation and I’m going to make sure that my management review team ongoing never meets any less frequently than, every three months. What am I saying? It’s got to meet at least every three months, so let’s not be meeting once a year, if possible.
I’m going to implement those management review reviews, so we’re going to get that absolutely documented. For every management review we’re going to schedule those, we’re going to have those in the calendar.
There is a guide and a blog How to conduct an ISO 27001 Management Review Meeting.
ISO27001 Competency Matrix
The next thing that I’m going to do as well is, as part of this, because it makes sense and the standard requires it is I am going to complete an ISO27001 competence matrix. An ISO27001 Competency Matrix for every member of the management structure, for everybody that’s involved in Information Security Management, in its delivery, for everybody documented in the roles and responsibilities document, for everybody documented in the ISO27001 RASCI Matrix, I am going to make sure that I have completed a competency matrix for them. Yes there is an ISO27001 Competency Matrix Template for it and there’s a video on how to create an ISO27001 Competency Matrix yourself from scratch for free but the basic concept of a Competency Matrix is we are demonstrating that we have the competencies to run an effective management system. We’re recording the names of individuals down the side and then we’re recording the levels of experience, certifications, that they have that are relevant to the management system and we are using that Competence Matrix to evidence competence but also to identify gaps. It provides us with planning where we may have those gaps in knowledge and or in training. So, I’m going to make sure that I have that in place.
Through a combination of those we are in a position where we can effectively demonstrate our compliance with this particular clause. Right, so, what is an auditor going to look for?
What an auditor will check
When an auditor comes to audit us and they’re auditing us against this standard they are going to look for those, for those items I’ve just mentioned. They’re going to want to see roles and responsibilities documented, they’re going to want to see some kind of mechanism of a management review team that’s meeting regularly following a structured agenda but is also reporting out. As part of our management review team we have an operational member from every part of the organisation plus we have at least one member of senior leadership. Did I mention that? Maybe I didn’t. You need that, you need a senior member of your leadership team right because they are going to be your conduit and communication up there and you’re going to have the reports that come out of the back of that that are going to be distributed and then for everybody that we have that’s allocated a role and responsibility we’re going to make sure that they exist on the competence matrix and we know that they have the competence to do the job.
My ISO 27001 ninja top tip is deputies, ensure that you have deputies for everybody and if you’re not following the template you need to be recording when those people are assigned to those roles and responsibilities.
So, this one is quite an easy one, right, I mean there isn’t much more to go through in this one for you other than to say give it to somebody, right, senior leadership give it to somebody, make sure that you give them the tools and resources that they need to be able to deliver to the standard, make sure you give them everything that they need to be successful and then get them to report to you that they’re doing the right thing. I mean that’s the bare minimum you need to do
That was ISO27001 Clause 5.3. Nice and easy. Be sure to subscribe to my ISO27001 YouTube channel. My YouTube channel is where all the gold is. All the knowledge that Consultants will charge you thousands and thousands of pounds for, I am giving away for free. I’m giving you the knowledge for free. These videos drop reasonably regularly so if you haven’t already hit the Subscribe button, join all those hundreds of other people that have done so, and get the inside knowledge on ISO27001. So, for now that is it. Until the next, one peas out.