# ISMS Governance Model A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002. *Based on [Governance model for Policies and Controls](../Standards/ISO27x/about/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.* ## Policy Lifecycle: Who Does What ### Key Players **Top Management** The buck stops here. They don't write policies, but they commission them, approve them, and make sure there's budget for security. **Security Manager/CISO** The person who actually writes the policies, keeps them updated, and knows what they're talking about. They might bring in outside experts when needed. **Line Managers** The bridge between policy and practice. They make sure their teams know what's expected and actually follow through. **Everyone Else** Read the policies, acknowledge them, follow them. ### How Policies Get Made | Step | Who's Responsible | |:-----|:-----------------| | **Commission** | Top management says "we need a policy for X" | | **Draft** | Security manager writes it | | **Consult** | Subject matter experts review it (legal, HR, IT) | | **Approve** | Top management signs off (or delegates for specific policies) | | **Communicate** | Security/HR publishes it where people can actually find it | | **Acknowledge** | Everyone confirms they've read it | | **Review** | Security manager revisits it regularly or after incidents | Think of it like passing a law: the mayor commissions it, lawyers draft it, city council approves it, district captains enforce it, and citizens follow it. ## Key Roles in ISO 27001 **Top Management** Sets direction, assigns responsibilities, reviews the whole system periodically. **Risk Owners** Own specific risks. They approve how risks get handled and accept whatever risk remains after controls are in place. **Asset Owners** Responsible for protecting specific assets throughout their lifecycle. They classify data, set access rules, and authorize disposal. They can delegate tasks but remain accountable. **Security Function** Usually a CISO or security manager. Makes sure the ISMS actually works and reports on its performance. **Other Roles You'll Need** - Privacy officer (if handling personal data) - Project managers (to bake security into projects) - Internal auditors (to check if things actually work) - System administrators (the people with the keys to the kingdom) ## Who Does What with Controls Controls are the actual security measures you implement. Here's who handles them: **Top Management** Provides resources, assigns reporting responsibilities, reviews everything at management meetings. **Risk Owners** Approve which controls get implemented and accept leftover risk. **Asset Owners** Make sure assets are properly protected and periodically check that access controls still make sense. **Line Managers** Enforce policies with their teams, check compliance regularly, fix problems when they find them. **CISO/Security Manager** Oversees implementation, helps identify risks, supports monitoring activities. **Internal Auditors** Check if controls actually work and if the ISMS meets requirements. They don't implement anything—they just verify. **Everyone** Follow the rules and report security issues when they spot them. ### Quick Reference | Role | Implementing | Monitoring | Evaluating | |:-----|:------------|:-----------|:-----------| | Top Management | Fund it | Review reports | Annual reviews | | Risk Owner | Approve treatment plans | Accept residual risk | Check risk status | | Asset Owner | Protect the assets | Review access periodically | Verify inventory | | Line Manager | Enforce with staff | Regular compliance checks | Report findings | | Internal Auditor | — | — | Test if it works | ### Simple Analogy Think city infrastructure: - **Top Management** = City Council (budget for road safety, review annual reports) - **Risk Owner** = City Planner (decides that intersection needs a traffic light) - **Asset Owner** = Road Maintenance (installs and maintains the lights) - **Line Manager** = Police Captain (makes sure officers enforce traffic laws) - **Internal Auditor** = Inspector General (checks if lights meet codes and tickets are being issued)