ISO 27001 Information Security - Clause 5.3 Organizational roles, responsibilities and authorities

Roles, responsibilities and authorities

26 May 2022 - ISO 27001 Information Security in plain English - Blog post #7.

ISO 27001 - Clause 5.3 requires that Information Security roles, responsibilities and authorities must be determined, assigned to people, and communicated to them. This article discusses how those requirements may be addressed efficiently and effectively.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

Organizational roles, responsibilities and authorities

Information Security roles, responsibilities and authorities must be determined, assigned to people, and communicated to them. For example, there may be an 'Information Security Manager' or 'Compliance Manager' with assigned responsibility and authority for:

  • Ensuring that the system complies to ISO 27001
  • Reporting on the ISMS to top management
  • Ensuring the integrity of the ISMS as part of change management

That person may be assisted by others such as the IT team, Privacy Officer, and internal auditors. Any of those people may also have other responsibilities and job titles.

Apart from what may be considered as the 'key players' in the management system, everyone else who works for the organization also has a part to play in its success. Therefore, you should define and document the relevant responsibilities for others. That may be achieved in job descriptions, and relevant procedures and plans.

Individual workers should be provided with a copy of their job description and be asked to sign a copy for retention by the organization.

For very small companies, an alternative to a system of job descriptions may be to simply list responsibilities in an ISMS Overview document. Responsibilities for certain actions may also be summarised in procedures or plans. Naturally, these should be compatible with any job descriptions that do exist.

There is a subtle difference between authority and responsibility.

  • Responsibilities may be considered as the duties assigned to a job position. For example: The Human Resources or People & Culture Manager may be responsible for ensuring the approporiate screening of new employees
  • The authority vested in a job position refers to the powers of decision that have been delegated to a person in that position e.g. approval of purchases of a certain type, approval of access rights etc. Once again, these may be listed in individual job descriptions. However, an alternative method is a 'List of Delegated Authorities' that describes the levels of authority vested in all job positions. This has the advantage that when there are changes to authorities, only one document needs to be changed - not a whole stack of job descriptions.

Templates for Job Descriptions and a 'List of Delegated Authorities' are part of ISO 27001 InfoSec Toolkit which is included in Qudos 3 IMS software.

The previous blog post in this series is ISO 27001 Clause 5.2 Policy

The next blog in this series is on Clause 6.1 Actions to address risks and opportunities.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

Qudos 3 IMS software includes an ISMS Overview template along with a wide range of tools to help you develop and maintain your management system faster, better and smarter.

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!