richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/ISMS/Basic ISMS governance model.md

99 lines
No EOL
4.2 KiB
Markdown
Raw Blame History

# ISMS Governance Model
A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002.
*Based on [Governance model for Policies and Controls](../Standards/ISO27x/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.*
## Policy Lifecycle: Who Does What
### Key Players
**Top Management**
The buck stops here. They don't write policies, but they commission them, approve them, and make sure there's budget for security.
**Security Manager/CISO**
The person who actually writes the policies, keeps them updated, and knows what they're talking about. They might bring in outside experts when needed.
**Line Managers**
The bridge between policy and practice. They make sure their teams know what's expected and actually follow through.
**Everyone Else**
Read the policies, acknowledge them, follow them.
### How Policies Get Made
| Step | Who's Responsible |
|:-----|:-----------------|
| **Commission** | Top management says "we need a policy for X" |
| **Draft** | Security manager writes it |
| **Consult** | Subject matter experts review it (legal, HR, IT) |
| **Approve** | Top management signs off (or delegates for specific policies) |
| **Communicate** | Security/HR publishes it where people can actually find it |
| **Acknowledge** | Everyone confirms they've read it |
| **Review** | Security manager revisits it regularly or after incidents |
Think of it like passing a law: the mayor commissions it, lawyers draft it, city council approves it, district captains enforce it, and citizens follow it.
## Key Roles in ISO 27001
**Top Management**
Sets direction, assigns responsibilities, reviews the whole system periodically.
**Risk Owners**
Own specific risks. They approve how risks get handled and accept whatever risk remains after controls are in place.
**Asset Owners**
Responsible for protecting specific assets throughout their lifecycle. They classify data, set access rules, and authorize disposal. They can delegate tasks but remain accountable.
**Security Function**
Usually a CISO or security manager. Makes sure the ISMS actually works and reports on its performance.
**Other Roles You'll Need**
- Privacy officer (if handling personal data)
- Project managers (to bake security into projects)
- Internal auditors (to check if things actually work)
- System administrators (the people with the keys to the kingdom)
## Who Does What with Controls
Controls are the actual security measures you implement. Here's who handles them:
**Top Management**
Provides resources, assigns reporting responsibilities, reviews everything at management meetings.
**Risk Owners**
Approve which controls get implemented and accept leftover risk.
**Asset Owners**
Make sure assets are properly protected and periodically check that access controls still make sense.
**Line Managers**
Enforce policies with their teams, check compliance regularly, fix problems when they find them.
**CISO/Security Manager**
Oversees implementation, helps identify risks, supports monitoring activities.
**Internal Auditors**
Check if controls actually work and if the ISMS meets requirements. They don't implement anything—they just verify.
**Everyone**
Follow the rules and report security issues when they spot them.
### Quick Reference
| Role | Implementing | Monitoring | Evaluating |
|:-----|:------------|:-----------|:-----------|
| Top Management | Fund it | Review reports | Annual reviews |
| Risk Owner | Approve treatment plans | Accept residual risk | Check risk status |
| Asset Owner | Protect the assets | Review access periodically | Verify inventory |
| Line Manager | Enforce with staff | Regular compliance checks | Report findings |
| Internal Auditor | — | — | Test if it works |
### Simple Analogy
Think city infrastructure:
- **Top Management** = City Council (budget for road safety, review annual reports)
- **Risk Owner** = City Planner (decides that intersection needs a traffic light)
- **Asset Owner** = Road Maintenance (installs and maintains the lights)
- **Line Manager** = Police Captain (makes sure officers enforce traffic laws)
- **Internal Auditor** = Inspector General (checks if lights meet codes and tickets are being issued)
Reference in a new issue View git blame Copy permalink