What is involved in ISO 27001 requirement 5.3?
This clause is all about top management ensuring that the roles, responsibilities and authorities are clear for the information security management system. This does not mean that the organisation needs to go and appoint several new staff or over engineer the resources involved - it's an often misunderstood expectation that puts smaller organisations off from achieving the standard.
Quite simply ISO 27001 is looking for clarity and focus on the key parts of the ISMS - who is accountable overall, who is responsible for certain parts, all good and logical business practices. You need to demonstrate that certain roles (not necessarily people) exist, have been appointed by top management and they are communicated to the relevant interested parties and documented clearly so there is no ambiguity. The requirement here is quite high level and it is easy to document, and also fits with other parts of the information security management system e.g. security risk owners in 6.1, info sec objective owners in 6.2 etc.
ExamSimul also makes much of the ISMS ownership and engagement easy in practice with its collaborative team memberships, policy activity owners, risk, incident, improvement owners etc - all of which can flow down from the top management clarity that comes from within this clause 5.3.
So one individual can do more than one role and you can unify the work e.g. by having a management board oversee everything to help demonstrate management reviews in line with 9.3 and totally join up the information security management system. Just make it clear who is responsible for what. Think about the roles with interested parties in mind as well as practical delivery. For example the role of CISO (Chief Information Security Officer) could imply to your customers that you take information security seriously and that could be done by a senior executive in addition to their day job, or if in a larger organisation it might be a fulltime role in its own right.
You may also choose to have a TISO (Technical Information Security Officer), or equivalent, who would be more technical and able to focus on those aspects of the ISMS if the other roles are delivered by more commercial/strategic individuals. See Annex A 5.2 (about the organisation of information security) and ensure you align this requirement with that Annex A control.
ISO 27001 specifically looks for clarity in roles and responsibilities for:
- Making sure the information security management system conforms to the requirements of the International Organisation for Standardisation
- The reporting of performance of the ISMS (which is much easier when it is all in one place)
It might well be that a senior executive has the accountability for the ISMS as part of the leadership commitment to information security (5.1) but can of course delegate the running of it down to others in the organisation, or outsource to specialist parties like the virtual CISO. Just remember to document it!