ISO 27001 Organisational Roles, Responsibilities and Authorities – Tutorial

Home / ISO 27001 Tutorials / ISO 27001 Organisational Roles, Responsibilities and Authorities – Tutorial

Introduction

In this tutorial we will cover Organisational Roles, Responsibilities and Authorities.

You will learn what ISO 27001 Organisational Roles, Responsibilities and Authorities is and how to implement it.

Organisational Roles, Responsibilities and Authorities

You are going to work with top management to make sure that you have defined and allocated roles and responsibilities for information security.

The first step is for you to nominate someone to be the information security manager who will be responsible for the information security management system.

Implementation Guide

Define the required roles and responsibilities

There is detailed guidance and further reading on roles and responsibilities in the guide ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

In summary you will complete the roles and responsibilities document.

Example Roles

Example roles and responsibilities in the information security management system include:

  • CEO
  • senior leadership team
  • management
  • information security manager
  • business continuity manager
  • Management Review Team
  • third party supplier manager

Assign People

With the roles and responsibilities defined and documented it is now time to allocate people to those roles.

In a small organisation it may well be the case that one individual is assigned more than one role and that is absolutely fine.

The only requirements is to maintain segregation of duties, which is covered in detail in ISO 27001 Annex A 5.3 Segregation of duties.

You have the following options when assigning people

  • Get external help
  • Appoint someone internally
  • Train someone

You must ensure that the people you assign are competent to take on the roles.

Put a Management Review Team in place

A management review team has certain responsibilities within the management system.

It should be made up of at least one individual from each operational area of the business with an assigned deputy.

Your management review team will meet on a monthly basis, follow a structured agenda and be documented.

Further guidance is provided in the blog How to conduct an ISO 27001 Management Review Meeting.

Manage Competence

To manage competence you will complete an ISO 27001 competence matrix.

This is for every member of the management structure, for everybody that’s involved in Information Security Management and its delivery. It will cover everybody documented in the roles and responsibilities document and in the ISO 27001 RASCI Matrix

The basic concept of a Competency Matrix is you are demonstrating that you have the competencies to run an effective management system. You will use it to plan training to address gaps.

ISO 27001 Toolkit

ISO 27001 Organisational Roles, Responsibilities and Authorities – Training Video