ISO 27001 Annex A Control 5.2

ISO 27001 control 5.2 Information security roles and responsibilities

The basics

ISO 27001 control A.5.2 Information security roles and responsibilities requires companies to define who does what and who is responsible for what and communicate these roles and responsibilities to ensure interested parties are aware of what is expected from them regarding information security.

Documentation

ISO 27001 control A.5.2 Information security roles and responsibilities can be documented by writing roles and responsibilities:

  • Through employment agreements – this is mandatory.
  • Through internal security policies and procedures – this is a best practice.
  • Through a centralized document – only some companies use this approach.

Note: Referring to best practices in ISO 27001 or ISO 27002 in employment agreements is not enough because these standards are not specific and are not adapted to the company’s needs.

Implementation

In order to comply with control A.5.2 Information security roles and responsibilities, you might implement the following:

  • Technology — Companies of all sizes need to configure their IT systems according to various roles and responsibilities defined in their policies and procedures – e.g., if the Backup Policy defines that the system administrator is in charge of performing the backup, then this person needs to have admin rights for that server.
  • Companies of all sizes will probably be able to document roles and responsibilities by using the same software used to edit their policies and procedures. The allocation of roles and responsibilities may be done by using a documented responsibility matrix or configuring systems according to defined profiles.
  • Organization/processes — you should set up a process for defining how required roles and responsibilities must be identified, documented, communicated, and enforced. You can document those processes through employment agreements, or internal security policies and procedures.
  • People — make employees aware of why defining and allocating roles and responsibilities is needed, and train management staff on how to identify and allocate them.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.2 Information security roles and responsibilities: if relevant information security roles and responsibilities are defined and communicated.