Introduction
In this tutorial we will cover Organisational Roles, Responsibilities and Authorities.
You will learn what ISO 27001 Organisational Roles, Responsibilities and Authorities is and how to implement it.
Table of contents
Organisational Roles, Responsibilities and Authorities
You are going to work with top management to make sure that you have defined and allocated roles and responsibilities for information security.
The first step is for you to nominate someone to be the information security manager who will be responsible for the information security management system.
Implementation Guide
Define the required roles and responsibilities
There is detailed guidance and further reading on roles and responsibilities in the guide ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities
In summary you will complete the roles and responsibilities document.
Example Roles
Example roles and responsibilities in the information security management system include:
- CEO
- senior leadership team
- management
- information security manager
- business continuity manager
- Management Review Team
- third party supplier manager
Assign People
With the roles and responsibilities defined and documented it is now time to allocate people to those roles.
In a small organisation it may well be the case that one individual is assigned more than one role and that is absolutely fine.
The only requirements is to maintain segregation of duties, which is covered in detail in ISO 27001 Annex A 5.3 Segregation of duties.
You have the following options when assigning people
- Get external help
- Appoint someone internally
- Train someone
You must ensure that the people you assign are competent to take on the roles.
Put a Management Review Team in place
A management review team has certain responsibilities within the management system.
It should be made up of at least one individual from each operational area of the business with an assigned deputy.
Your management review team will meet on a monthly basis, follow a structured agenda and be documented.
Further guidance is provided in the blog How to conduct an ISO 27001 Management Review Meeting.
Manage Competence
To manage competence you will complete an ISO 27001 competence matrix.
This is for every member of the management structure, for everybody that’s involved in Information Security Management and its delivery. It will cover everybody documented in the roles and responsibilities document and in the ISO 27001 RASCI Matrix
The basic concept of a Competency Matrix is you are demonstrating that you have the competencies to run an effective management system. You will use it to plan training to address gaps.