ISO 27002:2022, control 5.2 — information security roles and responsibilities — is one of the most important controls in ISO 27002:2022. It is a modification of control 6.1.1 in ISO 27002:2013 and it defines how organisations should define and allocate information security roles and responsibilities.
The organisation’s head, the chief information security officers (CISOs), the IT service management (ITSMs), the system owners, and the system users all contribute to the robustness of information security. This section summarises and discusses the responsibilities of those who hold these roles.
Information security is your responsibility as the CEO of your agency. In addition, you serve as the organisation’s accrediting body.
Good practices in the security sector and in governance are what CISOs are responsible for. Having this position in place guarantees that information security is properly managed at the highest levels of the organisation.
An ITSM is a high-ranking official in the company. System administrators work in conjunction with the chief information security officer to carry out the chief executive’s strategic directives.
An owner is required for every system. As a result, it is incumbent upon every system owner to guarantee adherence to IT governance rules and fulfilment of business needs.
System users are more likely to adhere to security rules and procedures if there is a strong security culture in place. Every system has inherent dangers, and it is up to the users to take responsibility for mitigating such dangers.
Addressing this control is critical for ensuring that each employee understands what they’re responsible for when it comes to protecting data, systems and networks. Admittedly, this is a challenge for many companies, especially small ones where the employees typically wear more than one hat.
An attributes section is now included in the latest version of ISO 27002. Defining attributes is a way to classify controls. These allow you to easily match your control selection with typical industry terminology. The attributes for control 5.2 are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Governance | #Governance and Ecosystem #Resilience |
The purpose of control 5.2 is to establish a defined, approved and understood structure for the implementation, operation and management of information security within the organisation. This is a formal organisational structure that assigns responsibility for information security throughout the organisation.
Control 5.2 addresses the implementation, operation and management of roles and responsibilities for information security in an organisation according to the framework as defined by ISO 27001.
The control states that information security roles and responsibilities should be well defined and that everyone involved should understand their role. Typically, assets are assigned a designated owner who assumes responsibility for their day-to-day care.
However, depending on the size of the organisation and the available resources, information security can be handled by a dedicated team or additional responsibilities assigned to current employees.
Allocating roles and responsibilities for information security is crucial for ensuring that the organisation’s information security is maintained and enhanced. To meet the requirements for this control, the allocation of roles should be formalised and documented, e.g., in a table form or in the form of an organisational chart.
The intent here is to ensure that clear roles, responsibilities and authorities are assigned and understood throughout the organisation. In order to ensure effective segregation of duties, the roles and responsibilities should be documented, communicated and applied consistently across the organisation.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
As already pointed out, control 5.2 in ISO 27002:2022, Information Security Roles and Responsibilities, is not a new control. This is simply a modified control found in ISO 27002:2013 as control 6.1.1.
The purpose of Control 5.2 has been defined, and new implementation instructions have been included in the most recent revision of ISO 27002. While the essence of the two controls are basically the same, there are slight improvements in the 2022 version.
For example, ISO 27002:2022 states that Individuals who assume a specific information security function should be competent in the knowledge and skills required by the role and supported to remain up to speed with advances linked to the role and necessary to fulfil the obligations of the role. This point is not a part of the 2013 version.
Additionally, the implementation guidelines of both versions are slightly different. Let us compare sections of the two below:
ISO 27002:2013 states the areas for which individuals are responsible should be stated. These areas are:
a) the assets and information security processes should be identified and defined;
b) the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented;
c) authorisation levels should be defined and documented;
d) to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;
e) coordination and oversight of information security aspects of supplier relationships should be identified and documented.
ISO 27002:2022 is more condensed. It simply states that the organisation should define and manage responsibilities for:
a) protection of information and other associated assets;
b) carrying out specific information security processes;
c) information security risk management activities and in particular acceptance of residual risks (e.g. to risk owners);
d) all personnel using an organisation’s information and other associated assets.
Both control versions however suggest that organisations can appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.
An information security manager is often appointed by companies to oversee the creation and execution of security measures and to aid in the detection of potential threats and controls.
Resourcing and putting the controls in place will typically fall to individual managers. A frequent practice is to designate an individual for each asset, who is then in charge of the asset’s ongoing security.
You are not expected to do much in terms of meeting the requirements for the new ISO 27002:2022 standard except upgrading your ISMS processes to reflect the improved controls, if your in-house team cannot handle this, ISMS.online can help.
In addition to providing a sophisticated cloud-based framework for documenting ISMS procedures and checklists to assure compliance with established norms, ISMS.online also streamlines the ISO 27001 certification process and the ISO 27002 implementation process.
All of your ISMS solutions can be managed in a centralised location thanks to our cloud-based software. You can use our easy-to-use application to keep track of anything that is required to verify conformity with ISO 2K7 specifications.
Implementing ISO 27002 is simplified with our intuitive step-by-step workflow and tools that include frameworks, policies and controls, actionable documentation and guidance. You can define the scope of the ISMS, identify risks, and implement controls using our platform – in just a few clicks.
We also have an in-house team of information technology specialists that will provide you with advice and assistance so that you can demonstrate compliance to standard and dedication to information security to your customers.
In order to learn more about how ISMS.online can assist you in achieving your ISO 2K7 objectives, please call us at +44 (0)1273 041140.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
