When it comes to information security, one of the most dangerous phrases an organisation can hear is “I thought the other person was doing that.” Ambiguity is the enemy of security, and that is exactly what Annex A 5.2 aims to eliminate. If you are currently transitioning from the 2013 version of ISO 27001 to the 2022 update, you’ll notice that while the core requirement for “Roles and Responsibilities” remains, the way we categorise and implement them has evolved.
In the 2013 version, this control lived under Annex A.6.1.1. In the 2022 revision, it has been renumbered to Annex A 5.2. Beyond the numbers, there are several shifts in focus that you need to be aware of to ensure your Information Security Management System (ISMS) stays compliant and effective.
Table of contents
From A.6.1.1 to A.5.2: A New Home
The most visible change is the structural reorganisation. ISO 27001:2022 has moved away from the 14 domains of the 2013 version and consolidated its controls into four simple themes: People, Physical, Technological, and Organisational. Annex A 5.2 is now firmly placed within the Organisational theme.
This shift emphasises that defining “who does what” isn’t just a Human Resources task or a technical requirement—it is a fundamental organisational process. According to Hightable.io, this control is the “operational backbone” of your ISMS, ensuring that leadership doesn’t just delegate security but actively governs it.
The Focus on “Active” Assignment
In the 2013 version, many organisations fulfilled A.6.1.1 by having a static list of roles in a dusty PDF manual. The 2022 update demands something more dynamic. The standard now places a heavier emphasis on the assignment and communication of these roles.
It is no longer enough to say that a “Security Manager” role exists; you must be able to show that specific individuals have been appointed, that they have the authority to carry out their duties, and—most importantly—that they know they have been appointed. As highlighted by Hightable.io, auditors are now looking for evidence of “acknowledgement,” where employees sign off or confirm their understanding of their specific security responsibilities.
Bridging the Gap Between Management and Operation
A subtle but critical change in the 2022 version is the closer alignment between Annex A 5.2 and Clause 5.3 (Organisational roles, responsibilities, and authorities). While the Annex A control provides the “how-to” for the organisation, Clause 5.3 sets the requirement for top management to ensure these roles are assigned.
The 2022 version makes it clearer that security is a top-down commitment. You are now expected to define roles that cover the entire lifecycle of information, including:
- Asset Owners: Who is accountable for specific data sets or systems?
- Risk Owners: Who has the authority to accept or mitigate a business risk?
- Process Owners: Who ensures that security is baked into daily workflows like HR onboarding or IT patching?
Key Implementation Steps for the 2022 Version
If you are updating your ISMS to meet the new standard, your approach to Annex A 5.2 should involve more than just a search-and-replace of the control numbers. Consider these practical steps:
- Use a RACI Matrix: This is the most effective way to show who is Responsible, Accountable, Consulted, and Informed for every security control. It eliminates the “I thought you were doing it” trap.
- Integrate with Job Descriptions: Don’t keep security roles in a separate silo. Ensure that security expectations are written directly into employment contracts and job descriptions.
- Evidence of Competence: The 2022 version implicitly links roles to competence. If you assign someone as an “Incident Lead,” you should have records showing they have the training to handle that role.
- Regular Reviews: Roles change as people leave or join the company. Your role register should be a living document, reviewed at least annually or whenever a significant organisational change occurs.
Why This Change Matters
The move from 2013 to 2022 reflects the modern reality of cyber security. With the rise of remote work and cloud services, security is no longer just the “IT Department’s job.” By tightening the requirements around roles and responsibilities, ISO 27001:2022 ensures that every person in the organisation knows their part in the defensive line.
When roles are clearly defined and actively managed, audits become a breeze because the evidence of ownership is clear. More importantly, your organisation becomes more resilient because every potential security gap has an owner looking after it.