ISO 27001 Requirement 5.3 – Organisational Roles & Responsibilities

What does Clause 5.3 involve?

Quite simply ISO 27001 is looking for clarity and focus on the key parts of the ISMS – who is accountable overall, who is responsible for certain parts, all good and logical business practices. You need to demonstrate that certain roles (not necessarily people) exist, have been appointed by top management and they are communicated to the relevant interested parties and documented clearly so there is no ambiguity. The requirement here is quite high level and it is easy to document, and also fits with other parts of the information security management system e.g. security risk owners in 6.1, info sec objective owners in 6.2 etc.

So one individual can do more than one role and you can unify the work e.g. by having a management board oversee everything to help demonstrate management reviews in line with 9.3 and totally join up the information security management system. Just make it clear who is responsible for what. Think about the roles with interested parties in mind as well as practical delivery. For example the role of CISO (Chief Information Security Officer) could imply to your customers that you take information security seriously and that could be done by a senior executive in addition to their day job, or if in a larger organisation it might be a full-time role in its own right.

You may also choose to have a TISO (Technical Information Security Officer), or equivalent, who would be more technical and able to focus on those aspects of the ISMS if the other roles are delivered by more commercial/strategic individuals. See Annex A 6.1.1 (about the organisation of information security) and ensure you align this requirement with that Annex A control.

ISO 27001 specifically looks for clarity in roles and responsibilities for:

• Making sure the information security management system conforms to the requirements of the International Organisation for Standardisation
• The reporting of performance of the ISMS (which is much easier when it is all in one place)

It might well be that a senior executive has the accountability for the ISMS as part of the leadership commitment to information security (5.1) but can of course delegate the running of it down to others in the organisation, or outsource to specialist parties like the virtual CISO, which many of the ISMS.online partners offer services around. Just remember to document it!

Make it simpler with ISMS.online

The ISMS.online platform makes it easy for top management to establish an information security policy that is consistent with the purpose and context of the organisation.

Your ISMS will include a pre-built information security policy that can easily be adapted to your organisation. This policy serves as a framework for reviewing objectives and includes commitments to satisfy any applicable requirements and continually improve the management system. This policy can easily be shared with interested parties and submitted for tenders or other external communications.