Skip to content
Show
Home|Posts|ISO 27001: Understanding Security Roles and Responsibilities and Why They Are Vital to the Success of Your Security Program ISO 27001: Understanding Security Roles and Responsibilities and Why They Are Vital to the Success of Your Security ProgramWhen building your Information Security Management System (ISMS) as part of ISO 27001 program implementation one of the most important elements of the system of management for your security program is ensuring all stakeholders understand their roles and responsibilities. (If you are unfamiliar with ISO 27001 and the “ISMS” you can read our whitepaper on the ISO 27001 Framework.) Why Understanding Roles is Critical to the Security ProgramImplementing an information security program is truly an organization wide initiative. It takes security, department level, and organization wide leadership to support, adopt, drive, and socialize information security concepts. A siloed security program will never be able to rise above the level of compliance check-the-box. The good news is that most leaders across the organization understand the importance of information security and are typically willing to support a right-sized and well thought-out security program. If you are charged with implementing the security program, it is your job to to communicate the “why” and the “what” behind the security program. If you are seeking to align with ISO 27001 – defining and communicating roles and responsibilities is also required to achieve certification. Five Typical Roles and ResponsibilitiesWhile the specific naming and place on the organizational chart may vary – all security programs have at least five “role types”. These role types are a minimum requirement for any security program and a requirement to fulfill the requirements outlined in clauses 4-10 of ISO 27001. 1) Security LeadershipThe defined leader of an information security program varies widely dependent upon organization shape and size. In some small organizations security leadership may be shared with members of other departments such as information technology, engineering, or legal. In more mature organizations the security leader may be a Chief Information Security Officer (CISO), VP, or Director level security practitioner. In either case, security leadership must own the information security program (including formalized responsibility and authority). Typical duties include:
2) Security Risk ManagementSecurity risk management is often one or many committees and sub-committees charged with overall risk management activities as related to information security. Sometimes called an Information Risk Council (IRC), Security Risk Council (SRC), or similar these functions must oversee and own policy and risk management activities. These organizations are also design to be cross functional in nature, not siloed to information security or technology practitioners. Often department heads from finance, HR, sales, legal, and others are representatives. Cross functional representation helps drive organizational change and socialization of information security initiatives. Typical duties include:
3) Internal AuditA key philosophical principle of ISO 27001 is Management’s commitment to continuous improvement. Internal audit is a key part of monitoring and driving continuous improvement of your security program. Because internal audit must be both qualified and independent of the ISMS, many organizations choose to leverage third parties (like risk3sixty) to perform security assessments. Typical duties include:
4) Control OwnersControl owners are the individuals responsible for operation of the various tasks and duties that make up the security program. Many of these duties our defined by the 114 controls outlined in ISO 27001 annex A. These roles will vary widely from organization to organization, but it is critical that an organization take the time to define these duties and periodically measure their performance. Typical duties include:
5) All EmployeesIt must be emphasized that all employees play a critical role when it comes to information security. (It is of note that countless studies site end users as the most common origin of security incidents.) Typical duties include:
Let’s Get StartedIf your organization is considering ISO 27001 certification or building a world-class security program our team can help. Over the last 3 years our team has 100% certification success rate and 100% client retention. If you want to know more, you can begin by reading our whitepapers on ISO 27001 here or reaching out to one of our professionals for more information here. Share This Story, Choose Your Platform!
Christian is the Managing Director and Co-Founder of risk3sixty, where he helps build security, privacy, and compliance programs. Related PostsWhat is senior management's role in developing and implementing an information security program?3.1 Senior Management
They establish the organization's computer security program and its overall program goals, objectives, and priorities in order to support the mission of the organization.
Why is top management support important in network security?Top management that is sensitive to the need of information security will develop and enforce information security policy, which lead to the development of positive information security culture. It is only thorough such culture, security threats or attacked can be overcome or mitigated.
What are the steps in implementing information security management?8 Steps to Implement an ISO 27001 Information Security Management System. Step 1: Project Initiation. ... . Step 2: Define the ISMS. ... . Step 3: Conduct a Risk Assessment. ... . Step 4: Risk Management. ... . Step 5: Training & Awareness. ... . Step 6: Preparing for Audit. ... . Step 7: Certification Audit. ... . Step 8: Continual Improvement.. What are the four major steps in the information security management process?4 phases of an ISO27001 Information Security Management System implementation.. Shaping your ISMS.. Implementing ISO27001.. Monitoring and controlling your ISMS.. Improvement and certification.. |