2.9 KiB
Based on the text of ISO/IEC 27001:2022, the standard explicitly identifies specific roles and categories of individuals with distinct responsibilities regarding the Information Security Management System (ISMS).
These roles are categorized below by their function within the standard:
1. Top Management
"Top management" is the most prominent role cited throughout the standard. They are responsible for:
- Overall leadership w/r/t information security and commitment to the ISMS.
- Establishing the information security policy and objectives.
- Ensuring necessary resources are available for the ISMS.
- Ensuring responsibilities and authorities for relevant roles are assigned and communicated.
- Conducting management reviews of the ISMS at planned intervals.
2. Risk Owners
Risk owners (explicitly required by the standard) are identified in the risk management process (C.6.1.2). They must approve the risk treatment plan and accept the residual risk that remains after treatment.
3. Auditors
In the context of performance evaluation, the standard refers to auditors. The organization is required to select auditors to conduct internal audits ensuring objectivity and impartiality.
4. Asset Owners
While the main body of the standard focuses on risk owners, Annex A (which lists the information security controls) explicitly mentions owners in the context of assets.
- Control 5.9 (Inventory of information and other associated assets): Requires an inventory of assets to be developed and maintained, "including owners".
5. Personnel and Persons Doing Work
The standard refers to the broader workforce under two main categories:
- Persons doing work under the organization's control: The organization must determine the necessary competence of these persons and ensure they are aware of the information security policy and their contribution to the ISMS.
- Personnel: Within Annex A, controls explicitly refer to "personnel" regarding screening, terms of employment, disciplinary processes, and information security awareness.
6. Other Relevant Management Roles
Clause 5.1 mentions that Top Management must support "other relevant management roles" to demonstrate their leadership as it applies to their specific areas of responsibility.
7. Interested Parties
While not an internal "role" in the traditional sense, the standard explicitly requires the organization to determine relevant interested parties (stakeholders) and their requirements, which must be addressed by the ISMS.
Note on Specific Job Titles: ISO 27001 describes responsibilities (e.g., "reporting on the performance of the information security management system") but generally does not prescribe specific job titles like "CISO" or "Security Manager." Instead, it requires Top Management to assign the responsibility and authority for these tasks.