top of page

ISO27001:2022 - A5.2 Information security roles and responsibilities

Updated: Mar 6

The Annex 5.2 Information Security Roles and Responsibilities control is extremely important as it not only sets out the roles and responsibilities of those involved in information security, but sets out clear expectations.


Some will have you believe that this is complicated but it’s not!


Let’s take this requirement apart and show you how it works.


What is expected?


The standard states that “Information security roles and responsibilities shall be defined and allocated according to the organisations needs” (A5.2 Roles and Responsibilities)


Note: ‘roles’ and ‘responsibilities’, ‘defined’ and ‘allocated’; Four requirements.


What is required?

According to the standard you need to “establish a defined, approved and understood structure for the implementation, operation and management of information security within your organisation.”


What do you need to do?

You’re going to refer to your ‘Interested Parties’ that you identified previously when you looked at internal and external parties.  In the main, we’ll focus on the internal interested parties but there may be roles and responsibilities of others that need to be considered.


Let’s imagine your interested parties looked like this;


·        Top Management

·        Employees

·        Shareholders

·        Suppliers


This is a great start, and although it won’t be all suppliers, it gives us something to consider.


Now, start a new document in Excel and call it “Roles and Responsibilities”.


In addition to the groups listed above, you should add;


·        The Management Review team

·        The Incident Response team


In the document you have created, you can have columns which clearly define what their role and responsibilities are. For example:



Responsibility / Authority

Top management

To provide leadership and support for the security programme.

·        Set overall business strategy

·        Allocating Resources

·        Setting and agreeing Budgets

·        Sign-off policies

·        Ensure compliance with appropriate legislation

·        Reporting breaches to legal or regulatory bodies

Supplier – IT Support

Support of the Technical infrastructure

·        Back-up management

·        Cloud environment security

·        E-mail security

·        Patch Management

This is also a great way to demonstrate that you have assigned authorities, under Clause 5.3 Organisational Roles, Responsibilities and Authorities.  Remember that identifying their authority is about understanding what authority they have. For example, do they have authority to agree increase in budgets? Or is that someone else’s responsibility?


It’s important to allocate these roles and responsibilities in line with your information security policies, so refer to A5.1 Information Security Policies if you haven’t already defined these.


Job descriptions - Roles and Responsibilities

It’s worth remembering that there is probably already a great wealth of information available to you already, stored in your Job Descriptions (JDs).


JDs will outline the role of key people, and will explain what they are responsible for. Seek these out for key people in your organisation, and also ask for a more generic JD.  What does it say about Security and/or Data Protection? If you can, ask your HR function to include a couple of lines within the JD template, so that it makes it everyone’s responsibility to maintain security!


Once you’ve reviewed the JD’s, make sure you’re clear about the following roles and define them in the spreadsheet you have created.  These roles are;


·        Chief Information Security Officer (CISO)

·        Chief Technology Officer (CTO)

·        Data Protection Officer (DPO)

·        Information Security Manager


Don’t worry if these roles don’t exist. But if they do, these people will be responsible for setting strategic direction for your information security programme, or may be actively involved in the Business Continuity process.


Your job here is to identify the people who will take an active part in your security programme. Then you will outline what you expect of these people, and then communicate this to them. This is how you achieve buy-in to your programme, you become ISO27001 AND become a more secure business!


It’s a triple win!


What the auditor is looking for in A5.2

For ISO27001 compliance you’ll need to have in place the following;


·        Defined Roles and Responsibilities (the document described above)

·        Job Descriptions (as described above)


It’s that simple. Don’t over complicate this.


ISO27001:2022 A5.2 Q & A

What’s the biggest mistake people make with this control?

First, they don’t create a specific ‘Roles and Responsibilities’ document which identifies the key groups and individuals that will help you in your quest to achieve ISO27001. So remember to create a document.


Second, they over complicate things. Don’t feel you have to identify every role. Keep in mind the following roles and consider their impact on ISO27001;


·        CEO / Business owner

·        Information Security Manager

·        Data Protection Officer

·        Business Continuity Manager


What happens if more than one person performs a role?

That’s fine because we’re talking about a role, not a person. For example, one person can be the Information Security Manager and the Data Protection Officer, but their responsibilities will be very different and their authority is likely to be different too.


To satisfy this requirement, focus on the role, not the person.


What groups do I need?

For management of your ISMS you should identify and document the following;

·        The Board

·        Management Review Team

·        Incident Management Team


Should  we include this as ‘Applicable’ control?

Yes. Even if you are a sole trader, it is still important to identify the different roles you will play (remember to focus on the role not the person). For the vast majority of implementations you will have multiple people to consider and they will have an impact on information security.


Difficulty rating

We rate this a 2 out of 5 difficulty rating.

This means that it requires minimum technical skills to satisfy the requirement.


More questions?

Just remember that nothing in ISO27001 sits in isolation, so you should review our ISO27001 FAQ to gain answers to other aspects of the standard, but if you’re still confused by what roles and responsibilities means to you and your organisation, just get in touch and we’ll be happy to help.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.

113 views0 comments


bottom of page