The basics
ISO 27001 sub-clause 5.3 is called “Organizational roles, responsibilities and authorities” — it requires top management to ensure that roles, responsibilities, and authorities are delegated and communicated effectively. The responsibilities must be assigned to ensure that the ISMS is fully compliant with the standard and that the ISMS performance can be accurately reported to top management.
Documentation
ISO 27001 clause 5.3 Organizational roles, responsibilities and authorities does not require writing any documents.
Organizational roles, responsibilities, and authorities are usually specified in various policies, procedures, and other documents. The following documents are not mandatory, and companies can decide whether to write them:
- Job descriptions
- Organizational chart
Implementation
To comply with clause 5.3 Organizational roles, responsibilities and authorities, you need to define the following roles and responsibilities:
- Coordination of the ISMS so that it is compliant with ISO 27001 – usually performed by a security manager (e.g., CISO)
- Monitoring the performance of the ISMS and reporting it to top management – usually performed by a security manager
- Performing the internal audit – by the internal auditor
- Publishing the top-level security policy and objectives, and performing the management review – by the top management
- Participating in assessing the risks and defining the treatment for risks – this is usually performed by a security manager together with other mid-level managers in the company (e.g., department heads)
- Performing regular security activities (e.g., backup) – this is usually done by everyone in the company
Audit evidence
During the audit, an auditor might ask for the following evidence regarding clause 5.3 Organizational roles, responsibilities and authorities:
- Where are the security roles and responsibilities specified.
- If everyone in the company is performing the specified security roles and responsibilities.
The certification auditor will ask if the following roles are defined:
- Coordination of the ISMS so that it is compliant with ISO 27001.
- Monitoring the performance of the ISMS and reporting it to top management.
- Internal audit.
The certification auditor will ask the following regarding the top management role:
- If the top management established the Information Security Policy and objectives.
- If the top management ensured the availability of resources necessary for the effectiveness of the ISMS, such as dedicating people, allocating time for information security activities, and providing financial resources.
- If the top management communicated the importance of information security throughout the organization.
- If the top management applied the ISMS in day-to-day activities to set a good example for the rest of the employees.
- If the top management made sure that the ISMS is integrated within the company processes.
- If the top management promotes continual improvement of the ISMS.
