4.2 KiB
ISMS Governance Model
A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002.
Based on Governance model for Policies and Controls, which contains the references to the Standard.
Policy Lifecycle: Who Does What
Key Players
Top Management The buck stops here. They don't write policies, but they commission them, approve them, and make sure there's budget for security.
Security Manager/CISO The person who actually writes the policies, keeps them updated, and knows what they're talking about. They might bring in outside experts when needed.
Line Managers The bridge between policy and practice. They make sure their teams know what's expected and actually follow through.
Everyone Else Read the policies, acknowledge them, follow them.
How Policies Get Made
| Step | Who's Responsible |
|---|---|
| Commission | Top management says "we need a policy for X" |
| Draft | Security manager writes it |
| Consult | Subject matter experts review it (legal, HR, IT) |
| Approve | Top management signs off (or delegates for specific policies) |
| Communicate | Security/HR publishes it where people can actually find it |
| Acknowledge | Everyone confirms they've read it |
| Review | Security manager revisits it regularly or after incidents |
Think of it like passing a law: the mayor commissions it, lawyers draft it, city council approves it, district captains enforce it, and citizens follow it.
Key Roles in ISO 27001
Top Management Sets direction, assigns responsibilities, reviews the whole system periodically.
Risk Owners Own specific risks. They approve how risks get handled and accept whatever risk remains after controls are in place.
Asset Owners Responsible for protecting specific assets throughout their lifecycle. They classify data, set access rules, and authorize disposal. They can delegate tasks but remain accountable.
Security Function Usually a CISO or security manager. Makes sure the ISMS actually works and reports on its performance.
Other Roles You'll Need
- Privacy officer (if handling personal data)
- Project managers (to bake security into projects)
- Internal auditors (to check if things actually work)
- System administrators (the people with the keys to the kingdom)
Who Does What with Controls
Controls are the actual security measures you implement. Here's who handles them:
Top Management Provides resources, assigns reporting responsibilities, reviews everything at management meetings.
Risk Owners Approve which controls get implemented and accept leftover risk.
Asset Owners Make sure assets are properly protected and periodically check that access controls still make sense.
Line Managers Enforce policies with their teams, check compliance regularly, fix problems when they find them.
CISO/Security Manager Oversees implementation, helps identify risks, supports monitoring activities.
Internal Auditors Check if controls actually work and if the ISMS meets requirements. They don't implement anything—they just verify.
Everyone Follow the rules and report security issues when they spot them.
Quick Reference
| Role | Implementing | Monitoring | Evaluating |
|---|---|---|---|
| Top Management | Fund it | Review reports | Annual reviews |
| Risk Owner | Approve treatment plans | Accept residual risk | Check risk status |
| Asset Owner | Protect the assets | Review access periodically | Verify inventory |
| Line Manager | Enforce with staff | Regular compliance checks | Report findings |
| Internal Auditor | — | — | Test if it works |
Simple Analogy
Think city infrastructure:
- Top Management = City Council (budget for road safety, review annual reports)
- Risk Owner = City Planner (decides that intersection needs a traffic light)
- Asset Owner = Road Maintenance (installs and maintains the lights)
- Line Manager = Police Captain (makes sure officers enforce traffic laws)
- Internal Auditor = Inspector General (checks if lights meet codes and tickets are being issued)