What roles are required for implementing the ISO/IEC 27001 Information Security Management System?

If, as an Organization, you are considering implementation of the Information Security Management System (ISMS), you will be posed with the question which Roles/Functions are required to commence implementation of a system compliant with ISO/IEC 27001.

The answer to this question is crucial for defining the catalogue of roles and the scope of their responsibilities in the Organization, as well as for preparing the ISMS contents in order to assign them to one or several roles. This procedure constitutes one stage of the information security certification process.

Roles

The following figure presents the roles that are crucial, from my experience, for the implementation of an ISMS compliant with the ISO/IEC 27001 Information Security Management System and the Personal Data Protection Regulation.

Drawing 1. ISO/IEC 27001 Main roles in Information Security Management System.

Please note that, depending on the size of the Organization, a Role may be assigned to a single person, e.g. Information Security Officer, or to an entire group — the “IT Administrator” role is usually managed by a group/department responsible for IT support in the organization.

Employee/Contractor

This role represents an Employee/Contractor in your Organization. The competences and knowledge of persons assigned to this role are crucial for meeting the Organization’s goals with regard to data protection. They should work in accordance with applicable policies, processes, and procedures constituting the Information Security Management System.

The most important policies applicable to this Role include:

• Information Security Policy
• Information Classification Policy
• Acceptable Use of Assets Policy
• Access to Network and Network Services Policy
• Password Management Policy

With regard to this Role, the Organization should focus on building awareness and competences in the area of data protection for existing and new employees.

Information Security Officer

The Information Security Officer Role is responsible for coordinating all activities related to information security management in the Organization. In small- and medium-sized organizations, this Role may be assigned to a single person; in larger systems, it is advisable to assign a group of users to this Role.

The person in this Role is responsible mainly for:

• Definition and supervision of the Information Security Management System
• Coordination of all activities related to the ISMS
• Communication of information relating to ISMS in the Organization
• Contacting authorities and groups of interest in the area of ISMS
• Coordinating the risk management process
• Supervision and coordination of the Information Security Management System

The person in this Role should have managerial, communication and technical skills.

IT Administrator

The IT Administrator Role is responsible for definition, implementation, and technical maintenance of security devices and technologies that constitute the Organization’s ICT networks and resources and the Information Security Management System. In small- and medium-sized organizations this Role may be assigned to several persons, and in large organizations — to IT departments.

The person in this Role is responsible, among other things, for:

• Definition and implementation of technical safety measures in the Organization
• Participation in the risk analysis process in the role of a technical expert
• Maintenance of ICT infrastructure and resources based on the Operational Activity Process
• Supervision of access rights to the Organization’s resources
• Monitoring and maintenance of ICT networks and resources of the Organization
• Management of availability, executive potential, and events
• Responding to threats and security incidents in the Organization
• Support and implementation of components constituting a part of operation continuity plans in the Organization
• Raising awareness of users in technological areas

Top Management

In the article on the implementation of ISO/IEC 27001 (“How to implement Information Security Management System”¹ ), we pointed out that the support of Top Management is crucial for successful implementation of the Information Security Management System.

The Top Management Role is assigned to a person or group of persons who manage and control the Organization at its highest level. In Poland, it may be for example the level of the Organization’s management board.

The persons in this Role are responsible for:

• Definition of the Organization’s strategy
• Definition of goals and the Scope of the Information Security Management System
• Leadership and involvement with regard to the Information Security Management System
• Definition of the Organization’s operating strategy in the context of data protection through Policies
• Definition of Roles, assignment of responsibilities and rights in the Organization
• Provision of resources and budget approval
• Management and supervision of the Organization’s external communication
• Participation in Management Reviews and ISMS improvement

The person in this Role, in the context of data protection, should be aware of his or her influence on the goals, strategy, and improvement of the Information Security Management System compliant with ISO/IEC 27001.

Internal Auditor

The Internal Auditor Role is responsible for performing audits. An audit is a systematic, independent, and documented process of collecting audit evidence and its objective assessment in order to determine whether the audit criteria have been met and to what degree. The Internal Auditor Role is key in terms of the maintenance and optimization of the Information Security Management System. Smaller organizations should consider outsourcing this role to external companies specializing in such activities.

The persons in this Role are responsible for:

• Participation in the Audit Management Process
• Preparation and distribution of the Audit Report
• Assessment of Organization’s compliance with approved security measures in Statement of Applicability
• Preparation of audit criteria to increase its quality
• Development of technical expert skills in the areas required in the Organization
• Improvement and development of management systems in the Organization

The person in this Role should be able to combine the practice of auditing Information Security Management Systems with knowledge on the Organization and its security measures in terms of information security.

Data Protection Officer

The Data Protection Officer Role is not key in the Organization; however, due to the requirements set out in the Personal Data Protection Regulation² , it is advisable to define this Role. In such case, this Role will be an extension of the Information Security Officer Role, based on the Personal Data Protection Regulation requirements. The scope of this Role is defined in the publication on the comparison of the requirements in ISO/IEC 27001 and in the Personal Data Protection Regulation.

www.ins2outs.com – support for Roles derived from ISO/IEC 27001

The ins2outs system significantly streamlines the implementation of the Information Security Management System compliant with ISO/IEC 27001 and the Personal Data Protection Regulation.

With a purchase of the complete ISO/IEC 27001 Knowledge Package, the Organization receives a customizable Information Security Management System including:

1. Complete definitions of Roles along with the scope of their responsibilities
2. Possibility to assign users to at lease one Role
3. Induction trainings available on the ins2outs platform for persons in individual Roles
4. Task and notification system for notifying users on the content which persons in individual Roles must become familiar with
5. Automatic compliance indicators for Roles and Users
6. Long-term competence profiles for individual roles

Drawing 2. ins2outs – Roles in the Organization derived from ISO/IEC 27001

In this way, the Organization will be able to quickly overcome the obstacle of lacking know-how on the Information Security Management System and then establish the ISMS to ensure that persons assigned to individual roles in the entire organization have the necessary knowledge and competences to support information security. This is a very important functionality for small, medium, and large organizations.

If you are interested in implementing the Information Security Management System on the ins2outs platform or you wish to receive more information, contact us via e-mail at ins2outs@pro4people.com or visit our website at https://ins2outs.com/

¹ How to implement Information Security Management System
² (UE) 2016/679 Personal Data Protection Regulation