Define the needed roles and responsibilities required for ISMS, based on ISO/IEC 27001:2013, is not always an easy task.

A common approach is starting defining the CISO (Chief Information Security Officer) role or the ISMS manager role.  Ensuring that ISMS is in conformity with requirements of the standard and clear responsibilities on reporting performance of the ISMS to the top management are critical for ensuring conformity with clause 5.3 of ISO/IEC 27001:2013.

In a smaller organization, several roles may be carried out by the same person. However, management should explicitly identify the role (typically the CISO or similar), with overall responsibility for managing information security, and to the staff should be assigned roles and responsibilities based on the skill required to perform the job. This is critical to ensure that the tasks are carried out efficiently and effectively.


The most important considerations for the definition of roles in information security management are:

a)  overall responsibility for the tasks remains at the management level

b)  one person (usually the Chief Information Security Officer) is appointed to promote and coordinate the information security process

c)  each employee is equally responsible for his or her original task and for maintaining information security in the workplace and in the organization.


To support us on this step we will use control A.6.1.1 from ISO/IEC 27001:2013 Annex A, the guidance for this control on ISO/IEC 27002:2013, Clause 6.1.1 and, the support of ISO/IEC 27003:2010, clause 5.3.2 and with references for Annex B, Table B.1 — List of exemplified Roles and Responsibilities for Information Security.

Remember that allocation of security responsibilities should be done in accordance with security policies (ISO/IEC 27002, clause 5.1.1, b)

Posted in: Security.
Last Modified: March 8, 2017