ISO 27001 Information Security Management Standard - Clause 5.3

Posted by Craig Thornton

Part 16: Clause 5.3 Roles, Responsibilities and Authorities

If you read between the lines of this clause, it really is about showing clarity of your information security management system (ISMS) and then communicating this to your employees.

Let’s start with clarity. You need to show clarity in the roles that people have. You need to be clear in what authority and responsibility that people’s roles have. 

And secondly you communicate the roles, authorities and responsibilities so that everyone is aware of each other’s tasks and activities. 

accountable

If those roles are is clear, then your ISMS will just fall into place.  It is for this reason that, in my opinion, clause 5.3 is one of the easier clauses to achieve. 

However, get it wrong, and your whole system will lack direction and ultimately fail to deliver.

For an organisation to meet the desired outcomes of the ISMS, top management needs to lead this clause.  This requires establishing and communicating the following to all team members:

  • The structure of the organisation.
  • Clear lines of reporting.
  • Individual job roles, responsibilities, goals and desired outcomes.
  • The importance of protecting information security.
  • Assigning responsibility and authority to an appropriate employee to maintain the ISMS, and
  • Ensuring the processes are delivering the intended outputs.

How did Mango achieve this?

Here at Mango, our structure is simple.  We use an organisational chart to display the relationships between everyone in the company. This was communicated to staff so everyone was clear on reporting lines if they had any issues. Once the structure and lines of reporting were defined, we made sure that each employee has a thorough understanding of their job role.  Details of each job role needed to be provided both in writing and verbally.  Just choosing one delivery method doesn’t cut it – provide only a written outline of a job role, and your employee has no opportunity to clarify, no chance to ask questions, no place to raise concerns.  Just having a chat about their job role is no good either – both of you will probably forget 80% of what is discussed. 

So at Mango we sat down with the staff members and discussed their unique job description.  We talked them all through each responsibility and process, and defined appropriate goals that align with our system.  We invited questions and provide clarification where required.  Take your time over this, because it’s really important.

In addition, at Mango we also give each employee their own login to our software.  This gives them access to all necessary ISMS information they need.  Once this step is performed we then go on to provide them with the necessary training.  This process enables employees to perform their duties in line with the requirements of our ISMS.

An area that doesn’t get stressed enough is the importance of employees being aware of other colleagues’ job roles.  Understanding the responsibilities of other team members helps every individual understand the impact of their own and everyone else’s input.  It helps employees see the bigger picture and to appreciate how they are working together to achieve the desired outcomes.  One highly effective way of achieving this is documenting a ‘Roles and Responsibilities Procedure’.  This is a list all of the positions in the organisation and the roles and responsibilities under each position.  Again, employees need to be provided with verbal and written communication of this.

Now it’s time to discuss the most important part of the clause – the promotion of protection of information security.  Unfortunately too many organisations get too caught up focusing on their daily activities, and forget about protecting information.  Information protection needs to be at the forefront of everything an organisation does.  Here at Mango, every single team member is responsible for information security.

 

Takeaways

Here is a list of takeaways that will help you achieve this clause:

  1. Everyone needs to know their role and responsibilities and communicate with each another in order for an organisation to be effective.
  2. All communication of employee job descriptions needs to be in done both verbally and in writing.
  3. Ensure that team members are actively marinating information security.
  4. Management needs to assign the authority and responsibility of the ISMS to a suitable employee who is capable of performing the following tasks:
  5. Communicate the importance of information security and the organisations vision, mission, policy and objectives throughout all levels of the organisation.
  6. Ensure that the integrity of the system is maintained when changes to the system are planned and implemented.
  7. Maintain the master list of documents such as job descriptions, processes, organisational charts and the systems procedure.
  8. Ensure the processes are delivering their intended outputs.
  9. Report on the performance of the ISMS and on opportunities for improvement.

 

Integrated_Management_System_manuel.jpg

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013 

ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification