Clause 5.3 and Annex A6.11 of ISO 27001 requires top management to ensure that roles and responsibilities and authorities for your Information Security Management System (ISMS) are defined, allocated, communicated, and understood, but what exactly are these roles and responsibilities? And what’s the most effective way to define these for your organisation?
What are the ISMS roles and responsibilities that ISO 27001:2015 requires you to define?
Defining ISO 27001 roles and responsibilities in your organisation has many benefits… from boosting operational efficiency to improving communication and collaboration.
The success of an Information Security management system depends on commitment from all levels and functions of the organisation. It is not the responsibility of just one person to understand the ISMS, but all. A good starting point is to define the ISMS compliance roles first. Whether you’re a sole trader or a corporate CEO we all find ourselves wearing multiple hats. Therefore, creating the role (or hat) of ‘Information Security Manager’ will help you assign the key responsibility of improving the ISMS to the most appropriate person in your organisation.
Responsibilities of the Information Security Manager role
Good communication and collaboration are key competency attributes for the Information Security Manager role. They will need to liaise with top management, process owners and staff to ensure that all employees have read and understood the Information Security Policy and are aware of the Information Security objectives of the Information Security management system. Other responsibilities include ensuring that the ISMS conforms to the requirements of ISO 27001; monitoring the performance of the ISMS, including investigating Information Security incidents and events; and reporting opportunities for improvement to top management.
The Information Security Manager should have an understanding of statutory & regulatory legislation as responsibilities may include reporting data breaches to the ICO – See How to maintain a ISMS Legal Register for ISO 27001
Responsibilities of the Top Management role
Top management should take accountability for the effectiveness of the ISMS and ensure that the ISMS achieves its intended results. They must provide appropriate resources for the ISMS and ensure responsibilities and authorities for relevant roles are assigned, communicated and understood.
Top Management have overall responsibility for the integration of the ISO 27001 requirements into business processes. This starts with defining an Information Security policy that includes a commitment to satisfy applicable requirements related to information security and a commitment to continually improve the ISMS. Top management can also leverage opportunities to enhance Information Security and improve efficiency by setting objectives in line with the strategic direction of the organisation.
Responsibilities of the Process Owner role
Process owners and line managers should be assigned responsibility for promoting the ISO 27001 objectives to their team and ensure that processes preserve the Confidentiality, Integrity and Availability (CIA) of information. Process owner should also be responsible for ensuring their staff and external suppliers understand the organisation’s Information Security risks relating to activities, products and services.
Responsibilities of all Staff
All staff are responsible for Information Security. Employees must be aware of Information Security objectives and the implications of not conforming with the ISMS requirements. Staff should also be aware of Key Performance Indicators (KPIs), that will monitor and measure if the process is working as expected.
How ISO 27001 Software can help you define and communicate your ISMS roles and responsibilities
The ISO 27001 standard requires the above ISMS roles, responsibilities and authorities to be communicated and understood in your company, so how do you achieve this?
One of the easiest ways to achieve this is to document the roles and responsibilities using ISO 27001 software such as the ISOvA Toolbox, which has a list of predefined ISMS Roles and Responsibilities including Information Security Manager, Top Management, Process Owners and All Staff. You can easily tailor these to match your organisation or add new roles. The guidance includes how to describe the responsibilities in terms of education, experience, training, and competence requirements. Internal and External communication columns include authorities on what and how information should be communicated.
Simply review and edit the ISOvA ISMS Roles and Responsibilities template to define responsibilities for each role. Whether that is your Managing Director or your Information Security manager, we set out the precise expectations of each individual, so everything is clearly communicated.
Once set, your ISMS roles will appear in other related areas of your ISMS software, including assigned responsibilities for Objectives, Corrective Actions, KPIs and Risk owners, to keep everything synchronised.