ISO27001 & The Roles, Responsibilities and Authorities Clause
If you have already obtained ISO9001 you will recognise the name of this clause because of course they are both aligned to the same high-level structure. The other bonus with already having obtained 9001 is that you are already mostly the way there with achieving the requirements of this clause for your Information security management System.
The intention of the clause 5.3 of ISO27001:2013 is to ensure that your organisation has the required clarity around who is responsible for what in your Information Security Management System, who has authority to make decisions or policies and what roles should report out on things.
The Role of Top Management
When you really look at clause 5.3 what it is really saying is communicate, ensure that everyone in the organisation knows exactly what the requirements of your ISMS are and where they fit in to that requirement.
There are two requirements of the clause, that the information security management system conforms to the requirements of the ISOS27001 standard and the reporting on the performance of the ISMS to top management occurs. To be able to do either of these things everyone needs to know what is expected, it must be communicated.
When it comes to the role of the top management of the organisation it is important to remember the old adage "The Buck Stops Here". It is top management's responsibility to make sure everything is in place in the organisation to meet the requirement of this clause, to ensure that everything is correctly communicated and of course that it is being followed through on.
Like everything, there is a right way and wrong way of doing these things, the wrong way would be to just write a big document and hope that it ticked the box, it will not.
How to Meet Clause 5.3 for ISO27001
Meeting the requirements is not that hard and the benefits of doing it right are huge for the organisation, it provides clarity and alignment throughout the whole organisation with respect to how they fit into the information security management system.
To do this top management must be the ones to lead the implementation of this clause. They need to ensure that they have clearly communicated what structure of the organisation is and how people fit in. They need to establish clear lines of reporting within the organisation and that people understand them. As with 9001 they need to ensure that everyone in the organisation has an individual job role with responsibilities outlines in terms of the ISMS. They need to know what the desired outcomes of the system are and what the goals are (plus individual goals). Perhaps the most important thing that top management need to communicate is the importance to the organisation of protecting its information.
Some organisations believe that just because it is written down and handed out then it is communicated, it's not, it's documented and that's different. To communicate it you actually need to talk with people, to let them ask questions and to give them answers. Have the conversation.
Using an organisational chart is a really useful way to help people visualise things, highlighting the roles, responsibilities and responsibilities on the structure as you go through it. Walk people through that as a group where possible, individually where required.
As mentioned previously in line with ISO9001 everyone needs a job description and with ISO27001 you need to include their relevant parts of the information security management system in there. Again, talk people through it, don't expect them to read it and get exactly the same meaning as you, people can take different meanings from the slightest ambiguity. Again, expect and prompt for questions so that you can ensure clarity.
Another option that you can explore is to actually create a matrix or a document clearly listing all of the roles and responsibilities that exist with respect the ISMS.
Finally, the critical part that top management must ensure is done is the constant communication, cheerleading and all out promotion of the importance of good information security management and the need to follow the organisations policies. They should focus on the benefits for the company and the employees in this communication. They need to help ensure that everyone understands how important it is and that it forms a key part of everyone is thinking in how the business works, it should be automatic. If we do this then it will breach our ISMS policy or doing that will increase the risk of an information security event happening. Everyone needs to understand that they are responsible for your information security management system being a success and your information being kept secure.
Consider this as a great gauge on if you have communicated all these things well enough, you will know that you are there when people tell you to stop talking about it already and do you know what you should be doing at that point? Yep, communicate it some more!
Copyright
© Many Caps Consulting Ltd | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/
Comments