{"id":9885,"date":"2016-06-20T21:21:32","date_gmt":"2016-06-20T21:21:32","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=9885"},"modified":"2025-04-11T07:32:46","modified_gmt":"2025-04-11T07:32:46","slug":"how-to-document-roles-and-responsibilities-according-to-iso-27001","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/06\/20\/how-to-document-roles-and-responsibilities-according-to-iso-27001\/","title":{"rendered":"How to document roles and responsibilities according to ISO 27001"},"content":{"rendered":"<p>Information security professionals who are new in\u00a0<a title=\"ISo 27001\" href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0very often tend to think this standard requires a very centralized and very detailed definition of roles and responsibilities. Actually, this is not true.<\/p>\n<p>Please don\u2019t get me wrong: assigning and communicating roles and responsibilities\u00a0is important, because that is how all employees in the company will know what is expected of them, what their impact is on information security, and how they can contribute. But, ISO 27001 allows you to do it in a way that is natural for your business, and that does not introduce additional overhead \u2013 let\u2019s see how\u2026<\/p>\n<h2>What does ISO 27001 require?<\/h2>\n<p>Clause 5.3 says that top management should assign top-level responsibilities and authorities for two main aspects:<\/p>\n<ul>\n<li>First are the responsibilities for ensuring that the ISMS fulfills the requirements of ISO 27001.<\/li>\n<li>And second are the responsibilities for monitoring the performance of the ISMS\u00a0and reporting to top management.<\/li>\n<\/ul>\n<p>The responsibilities for the implementation of controls should be documented through the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=risk-treatment-plan\" target=\"_blank\" rel=\"noopener\">Risk treatment plan<\/a>, see this article for details:\u00a0<a title=\"Risk Treatment Plan and risk treatment process \u2013 What\u2019s the difference?\" href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/#treatment\" target=\"_blank\" rel=\"noopener\">Risk Treatment Plan and risk treatment process \u2013 What\u2019s the difference?<\/a><\/p>\n<p>Further, ISO 27001 mentions responsibilities in several places (e.g. controls and subsections A.6.1.1, A.7.1.2, A.7.3.1, A.9.3, A.12.1, A.16.1.1, A.18.2.2) however it does not define how those responsibilities should be documented \u2013 this basically means you\u2019re free to define them in any way you feel is appropriate.<\/p>\n<p style=\"padding-top: 10px; padding-bottom: 10px;\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-22366\" src=\"\/wp-content\/uploads\/\/sites\/5\/2016\/06\/27001-responsibilities.jpg\" alt=\"ISO 27001 - How to document roles and responsibilities\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2016\/06\/27001-responsibilities.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2016\/06\/27001-responsibilities-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2016\/06\/27001-responsibilities-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2>Options for top-level responsibilities<\/h2>\n<p>The top-level responsibilities and authorities can be given to one or more people in the company, depending on what is the most appropriate. For example, for small companies with a simple ISMS,\u00a0it is logical to assign one person to be responsible for implementing all the requirements from ISO 27001 and reporting the performance of ISMS to top management. This is usually the CISO; see also:\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">What is the job of Chief Information Security Officer (CISO) in ISO 27001?<\/a><\/p>\n<p>For bigger companies with a more complex ISMS,\u00a0it might be more practical to have one person responsible for implementing the requirements and another for reporting. Another option would be to have one person for ensuring implementing the requirements and reporting for one segment of the ISMS, for example HR security, and another person for incident management, etc.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Where to document roles and responsibilities<\/h2>\n<p>You can document the general information security roles and responsibilities in job descriptions, or as part of the organizational chart, or in the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">Information Security Policy<\/a>.<\/p>\n<p>Of course, you should document specific security roles and responsibilities more detailed in various policies, procedures, plans, and other documents that you will develop as part of the ISO 27001 implementation.<\/p>\n<p>So in practice, on the lower organizational level, security roles and responsibilities\u00a0will be assigned as regular tasks \u2013 e.g., <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" target=\"_blank\" rel=\"noopener\">Backup policy<\/a> will define initiating backup at a particular time of the day. These tasks should be given to the people who are probably already doing them, only now these roles and responsibilities will more formal. Monitoring and reporting should be done also through regular channels \u2013 typically, the direct superior of particular employees is in charge of monitoring\u00a0them, and reporting about their results.<\/p>\n<p>In other words, there is no need to have one document that would centrally define all detailed security roles and responsibilities. Such document wouldn\u2019t be practical because of the redundancy \u2013 any time you would change some role or responsibility in a particular procedure, you would have to change it also in this central document. Sooner or later, a discrepancy would occur, and believe me \u2013 such situation is quite a big problem when dealing with the documentation.<\/p>\n<h2>ISMS documentation should serve you, not the other way around<\/h2>\n<p>So, to conclude: creating documents only for the purpose of showing them to the certification auditor does not make sense \u2013 you should be creating documents to help you do your job.<\/p>\n<p>In other words, ISO 27001 documentation should be your tool for improving your security activities \u2013 therefore, when you define roles and responsibilities you should write them in a way that it is easy to understand, and write them in a place that is logical to find.<\/p>\n<p><em>To see how employees can collaborate on ISO 27001 ISMS implementation steps, documents, and all the necessary tasks,\u00a0<\/em><a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener noreferrer\">sign up for a 14-day free trial<\/a> <em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Information security professionals who are new in\u00a0ISO 27001\u00a0very often tend to think this standard requires a very centralized and very detailed definition of roles and responsibilities. Actually, this is not true. Please don\u2019t get me wrong: assigning and communicating roles and responsibilities\u00a0is important, because that is how all employees in the company will know what &#8230;<\/p>\n","protected":false},"author":26,"featured_media":22366,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,500,1079],"class_list":["post-9885","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-ciso","tag-roles-and-responsibilities"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=9885"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9885\/revisions"}],"predecessor-version":[{"id":103871,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9885\/revisions\/103871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/22366"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=9885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=9885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=9885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}