Principle 3 of ISO 27001 Information Security Management Standard

Posted by Craig Thornton

Part 4 - Assignment of Responsibility for Information Security

A key principle of any information security management system (ISMS) is the assigning of responsibility for tasks associated with information security.

Throughout any ISMS there will be tasks that need to be carried out to ensure that the systems are well managed, are effective and that there is appropriate protection against the loss of availability, confidentiality and integrity of the information.

Businesspeople discussing on digital tablet in office at night

Therefore, you need to have a philosophy of holding people responsible for undertaking their tasks. 

This responsibility goes hand-in-hand with two important aspects:

  1. Accountability. If those tasks aren’t performed by the responsible person(s) then they are held accountable for not following process.
  2. Authority. Each of the tasks will have an associated authority to have the power or right to;
    • give orders,
    • make decisions, and
    • enforce compliance.


Defining Responsibility 

So in developing your ISMS you need to have clear instructions on who does what, who has responsibility for each task, how accountability is delivered and what authority people have when they follow the ISMS.

This doesn’t only apply to employees - it applies to Management as well.  Because Management is responsible for creating, designing, implementing and maintaining processes, then they too should be held accountable if those processes fail.

One of the easiest ways to define responsibility is to document these in policies, procedures, work instructions or position descriptions.

I have always found that position descriptions (PD) are the best way of summarising peoples’ responsibilities for tasks.  PDs can summarise lots of documents down to a single, easy-to-understand summary.  Staff can then just refer to their PD and instantly understand your organisation’s requirements for information security.

In the past, most position descriptions were created when someone started in a job and after that were never referred to again... 

They may have been looked at for a performance review. 

They may have been referred to during some disciplinary activity.  

Sometimes a Manager may have taken a cursory glance at the PD (that’s if they can find it) and then perhaps take a moment or two to see if the document is up-to-date.  And in general, that’s about it.


Position Descriptions and Information Security 

My belief is that a PD is a central part of your ISMS.  They define what your employees do, how they do it, and who they do it with.  PDs are where authority and responsibility are clearly laid out.  And because responsibilities, skill-sets, technology, and organisational structure are prone to change, PDs should be regarded as important, living documents. 

They need to be constantly updated (maybe quarterly) to ensure that the latest technologies and are changes are taken into account.  All changes should be clearly communicated to staff to ensure that they are always fully aware of what’s what.


Position Descriptions at Mango

For example, here at Mango each of our staff has a PD. The PD refers to their responsibilities for information security in an Appendix.  The Appendix summarises in tabular form their responsibilities for information security.  These appendices are then recorded into Mango and staff sign-off (electronically) and acknowledge that they have read and understood their responsibilities.

Making sure people are held responsible for their tasks and actions is a key principle to keep in mind for your ISMS.  It's something that you must constantly be alert for.  This is particularly important for teams.  If everyone is responsible then no one is responsible.  People can hide in teams.  You need to be "on-your-toes" to ensure that responsibility is well managed.



View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the need for information security 


Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification