ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities

ISO 27001 Clause 5.3: Organisational roles, responsibilities and authorities

ISO 27001 Clause 5.3 is about making sure that everyone in a company knows their role in keeping information safe. The goal is for top leaders to set up and talk about who does what for the company’s Information Security Management System (ISMS). This ensures that the system works well.

What You Need to Do

Company leaders need to make sure that jobs, tasks, and power are given to people for information security. These roles must be clear to everyone in the company.

Leaders must give out these jobs:

  • Someone must make sure the ISMS follows all the rules.
  • Someone must report how the ISMS is working to top leaders.

How to Get It Done

  1. Find the Needed Jobs: First, figure out what jobs you need to run your ISMS. This can include roles like a security manager or a person who owns the data.
  2. Write It Down: You should write down what each job’s duties are. This helps everyone know what they need to do.
  3. Give out the Jobs: Give these jobs to people in the company. You must make sure these people are good at what they do. It is okay for one person to have more than one job.
  4. Tell Everyone: Share this list of jobs and duties with everyone. This makes sure there is no confusion.
  5. Keep it Current: Your list of jobs should be kept up to date. You can put this info in a special document or in job descriptions.

What an Auditor Checks

An auditor will check a few things:

  • Role Definitions: They will look at your list of jobs to see if they are clear.
  • Job Assignments: They will check that people have been given these jobs.
  • Clear Duties: They will check that the duties are clear and that people have the power to do them.
  • Communication: They will check that everyone knows their role.

Frequently Asked Questions

Why is this rule important?

It helps make everyone in the company responsible for information safety. This makes the company’s security better. It also helps to prevent problems.

Do we need to hire a new person for this?

No, you do not need to hire a new person. You can give these jobs to people who already work for you. For example, a senior leader could be the security manager.

What is the difference between roles, responsibilities, and authorities?

Roles are the jobs people have, like “Security Manager.”
Responsibilities are the duties that go with a job, like “writing the security rules.”
Authorities are the powers a person has to do their job, like “approving a new security tool.”

Is this rule the same as “segregation of duties?”

No, but they are related. “Segregation of duties” means that a job is split among many people to prevent fraud or errors. This rule is about making sure all roles, duties, and powers are clear to everyone.