ISO 27001 Annex A 5.2 is about setting clear rules for who does what to keep data safe. This means giving everyone a job and a duty for information security. It helps to make sure that the right tasks are done by the right people.
What to Do
You must give everyone a clear job for keeping information safe. This is not just for one person. It is for everyone in the company. Here are the steps you can take:
- Make a List: Write a list of all jobs and duties for keeping information safe.
- Tell Everyone: Tell all staff members what their duties are. They should know what to do and what not to do.
- Get It in Writing: Write down the jobs and duties in a document. This helps everyone remember their part.
What an Auditor Checks
An auditor will check if you have a document that lists all jobs and duties. They will talk to staff to make sure people know their roles. They will also look at job papers and job lists to see that the rules are being followed.
Common Mistakes
- Not Giving People a Job: Some people do not give clear duties for keeping data safe.
- Having Too Many People in Charge: If too many people are in charge, it can cause problems.
- Making Rules That Do Not Work: Sometimes the rules are not easy to follow.
Frequently Asked Questions
This is about making sure all staff members know what they must do to keep data safe. It is about who is in charge of each task.
The person in charge of security is responsible for making this list. But all staff members are responsible for following the rules.
Yes, you should write a document. It shows that you have done this work. It also helps an auditor check what you have done.
The ISMS is the whole system for keeping data safe. The roles and duties document is just one small part of that system.
The top three mistakes are: not giving clear jobs, having too many people in charge, and making rules that are hard to follow.
An auditor will check your list of jobs and duties. They will also talk to staff to make sure the rules are being followed.