Download our comparison guide between ISO 9001 and ISO 27001
If you want to learn more about how ISO 27001 compares to ISO 9001, along with additional information, download our detailed guide today.
.jpg?ext=.jpg)
Two Surprising ISO 27001 Roles
This blog post turns to the second control in ISO 27001 Annex A, which is the one that asks you to get specific about who is actually involved in ISO 27001 and what, exactly, they’re supposed to do. And yes, before you get too far down this path, you really do need to buy a copy of the ISO 27001 standard. There’s no substitute for reading the source material when you’re aiming for compliance.
A common misconception is that ISO 27001 is an IT-only affair. After all, we’re talking about information security. But ISO 27001 works precisely because it refuses to let information security get trapped in the IT silo. To earn certification, an organization has to spell out how each role participates in safeguarding information not by assumption, not by tradition, but in writing. Below are three concrete ways to anchor those roles and responsibilities in your organization.
IT Professionals
Of course, IT professionals still shoulder much of the operational weight here. In large organizations, you may see a clean split between the person responsible for the technical security stack and the one charged with risk management. That division of labor is normal, and often necessary.
Senior Leadership
ISO 27001 doesn’t just want leadership to “support” the program in the vague sense. It expects senior leadership to be visibly involved. At minimum, leaders should take responsibility for approving the security policies required for compliance. They’re also in the best position to champion cybersecurity training and ensure everyone completes it. Resource management typically lands here as well—making sure people have what they need to secure information competently.
In smaller organizations, the line between leadership responsibilities and IT responsibilities can blur. If you have a single IT manager, leadership may need to play a supporting or oversight role in day-to-day security tasks. That dynamic tends to disappear in larger companies where duties can be distributed more formally.
Human Resources
Human Resources can play a major part in the compliance effort—again, depending on how large the HR function is. HR is often responsible for ensuring new hires receive the required cybersecurity training, managing or coordinating access control, and conducting background checks. These are not optional niceties; they are structural pieces of ISO 27001’s personnel controls.
Document and Communicate
As with your security policies, the final and most critical step is to document these roles and responsibilities, then make sure everyone understands their part. Roles should be defined by the position—not by the person currently sitting in that position. When people come and go, the responsibilities should remain constant. If they don’t, your ISMS will drift.
Questions?
If you’re navigating your ISO 27001 compliance journey and want clarity or if you’re ready for a pre-assessment or a full audit, contact us today.