See also:
- [a-5.2-Information-security-roles-and-responsibilities](../Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md)
- [a-5.3-Segregation-of-duties](../Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md)

For examples of defined roles, see:
- Platform 161, ISP §3.6
- Open-ICT
- Methode NHC
- [OrgFit Architectuurprincipes Humankind](../../Clients/Humankind/OrgFit%20Architectuurprincipes%20Humankind.md)

Related:
- [Asset ownership](../🎇%20Sparks/Asset%20ownership.md)
- [Control ownership](../Sparks/Control%20ownership.md)
- [Risk ownership](../🎇%20Sparks/Risk%20ownership.md)
- [Segregation of Duties](Segregation%20of%20Duties.md)
- [Access Control Models](../Sparks/Access%20Control%20Models.md)

**Roles according to CISSP (p. 23 ev.):**
* Senior Manager: decides on policies, ultimately responsible.
* Security Professional: writes and implements the policies.
* Data Owner: classifies information, ultimately responsible for protection of his data.
* Data Custodian: responsible for implementing the controls.
* User: has access to the protected information. Responsible for understanding and following the security policy.
* Auditor: reviews the policy, verifies that it is properly implemented, and that the implemented controls are adequate.

**Roles according to [source](https://groups.google.com/g/iso27001security/c/z4DwcXmZGo4):**

Information security functions are generally split across several areas :

1. Information security management
	- setting direction; 
	- setting policy; 
	- analysing and advising on the treatment of information security risks;
	- developing or commissioning standards, procedures and guidelines, plus security awareness and training materials; 
	- liaising with general management, risk management, HR, legal etc. on information security matters;
	- security incident management; 
	- ISMS management and direction. 
	- line management for the security function; 
	- Staffed with security managers and security officers.
2. Information security administration/operations 
	- user access management (access rights, passwords, joiners/movers/leavers); 
	- log analysis;
	- security awareness & training delivery; 
	- assisting with incidents and investigations etc. 
	- Staffed with security analysts.
3. Information security architecture & design
	- pushing information security deep into IT application development, IT procurement etc.;
	- providing architectural guidance, policies and standards on various security matters (such as authentication, cryptography and security logs) etc.
	- Staffed with security architects.
4. Physical/site security
	- often an independent function but with close liaison to information security. 
	- Staffed with security guards.
5. Fraud
	- again, often independent but with liaison, especially for incident investigation and analysis. 
	- Staffed with fraud specialists.

[This article](https://ins2outs.com/roles-required-implementing-isoiec-27001-information-security-management-system/) defines 6 roles and assigns responsibilities to each role:
* Employee
* Information Security Officer
* IT Administrator
* Top Management
* Internal auditor
* Data Protection Officer

[This article](https://risk3sixty.com/2019/09/03/iso-27001-understanding-security-roles-and-responsibilities-and-why-they-are-vital-to-the-success-of-your-security-program/) identifies five ‘typical roles and responsibilities’:
* Security leadership
* Security risk management
* Internal audit
* Control owners
* All employees

[This article](https://info-savvy.com/iso-27001-clause-5-3-and-clause-7-1-resources-and-roles-responsibility/) identifies somewhat different roles:
* Information owners;
* Process owners;
* Asset owners (e.g. application or infrastructure owners);
* Risk owners;
* Information security coordinating functions or persons (this particular role is generally a supporting role within the ISMS);
* Project managers;
* Line managers;
* Information users.