richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

84
Corpus/Information Security/Roles in Information security management.md Normal file
View file

@ -0,0 +1,84 @@
See also:
- [a-5.2-Information-security-roles-and-responsibilities](../Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md)
- [a-5.3-Segregation-of-duties](../Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md)
For examples of defined roles, see:
- Platform 161, ISP §3.6
- Open-ICT
- Methode NHC
- [OrgFit Architectuurprincipes Humankind](../../Clients/Humankind/OrgFit%20Architectuurprincipes%20Humankind.md)
Related:
- [Asset ownership](../Sparks/Asset%20ownership.md)
- [Control ownership](../ISMS/Control%20ownership.md)
- [Risk ownership](Risks/Risk%20ownership.md)
- [Segregation of Duties](../ISMS/Segregation%20of%20Duties.md)
- [Access Control Models](../ISMS/Access%20Control%20Models.md)
**Roles according to CISSP (p. 23 ev.):**
* Senior Manager: decides on policies, ultimately responsible.
* Security Professional: writes and implements the policies.
* Data Owner: classifies information, ultimately responsible for protection of his data.
* Data Custodian: responsible for implementing the controls.
* User: has access to the protected information. Responsible for understanding and following the security policy.
* Auditor: reviews the policy, verifies that it is properly implemented, and that the implemented controls are adequate.
**Roles according to [source](https://groups.google.com/g/iso27001security/c/z4DwcXmZGo4):**
Information security functions are generally split across several areas :
1. Information security management
- setting direction;
- setting policy;
- analysing and advising on the treatment of information security risks;
- developing or commissioning standards, procedures and guidelines, plus security awareness and training materials;
- liaising with general management, risk management, HR, legal etc. on information security matters;
- security incident management;
- ISMS management and direction.
- line management for the security function;
- Staffed with security managers and security officers.
2. Information security administration/operations
- user access management (access rights, passwords, joiners/movers/leavers);
- log analysis;
- security awareness & training delivery;
- assisting with incidents and investigations etc.
- Staffed with security analysts.
3. Information security architecture & design
- pushing information security deep into IT application development, IT procurement etc.;
- providing architectural guidance, policies and standards on various security matters (such as authentication, cryptography and security logs) etc.
- Staffed with security architects.
4. Physical/site security
- often an independent function but with close liaison to information security.
- Staffed with security guards.
5. Fraud
- again, often independent but with liaison, especially for incident investigation and analysis.
- Staffed with fraud specialists.
[This article](https://ins2outs.com/roles-required-implementing-isoiec-27001-information-security-management-system/) defines 6 roles and assigns responsibilities to each role:
* Employee
* Information Security Officer
* IT Administrator
* Top Management
* Internal auditor
* Data Protection Officer
[This article](https://risk3sixty.com/2019/09/03/iso-27001-understanding-security-roles-and-responsibilities-and-why-they-are-vital-to-the-success-of-your-security-program/) identifies five typical roles and responsibilities:
* Security leadership
* Security risk management
* Internal audit
* Control owners
* All employees
[This article](https://info-savvy.com/iso-27001-clause-5-3-and-clause-7-1-resources-and-roles-responsibility/) identifies somewhat different roles:
* Information owners;
* Process owners;
* Asset owners (e.g. application or infrastructure owners);
* Risk owners;
* Information security coordinating functions or persons (this particular role is generally a supporting role within the ISMS);
* Project managers;
* Line managers;
* Information users.