ISO 27001: Understanding Security Roles and Responsibilities and Why They Are Vital to the Success of Your Security Program

When building your Information Security Management System (ISMS) as part of ISO 27001 program implementation one of the most important elements of the system of management for your security program is ensuring all stakeholders understand their roles and responsibilities. (If you are unfamiliar with ISO 27001 and the “ISMS,” you can read our whitepaper on the ISO 27001 Framework.)

Why Understanding Roles is Critical to the Security Program

Implementing an information security program is truly an organization-wide initiative. It takes security, department-level, and organization-wide leadership to support, adopt, drive, and socialize information security concepts. A siloed security program will never be able to rise above the level of compliance check-the-box.

The good news is that most leaders across the organization understand the importance of information security and are typically willing to support a right-sized and well-thought-out security program. If you are charged with implementing the security program, it is your job to communicate the “why” and the “what” behind it. If you seek to align with ISO 27001 – defining and communicating roles and responsibilities is also required to achieve certification.

Five Typical Roles and Responsibilities

While the specific naming and place on the organizational chart may vary – all security programs have at least five “role types”. These role types are a minimum requirement for any security program and a requirement to fulfill the requirements outlined in clauses 4-10 of ISO 27001.

1) Security Leadership

The defined leader of an information security program varies widely dependent upon organization shape and size. In some small organizations security leadership may be shared with members of other departments such as information technology, engineering, or legal. In more mature organizations the security leader may be a Chief Information Security Officer (CISO), VP, or Director level security practitioner. In either case, security leadership must own the information security program (including formalized responsibility and authority).

Typical duties include:

  • Defining the context of the security program including aligning the program to business objectives and ensuring appropriate stakeholders have been considered
  • Setting the strategic objective, building the security program road-map, allocating budget and human resources
  • Developing, tracking, and reporting security KPIs to relevant stakeholders (e.g., Customers, Leadership, the Board of Directors)

2) Security Risk Management

Security risk management is often one or many committees and sub-committees charged with overall risk management activities as related to information security. Sometimes called an Information Risk Council (IRC), Security Risk Council (SRC), or similar, these functions must oversee and own policy and risk management activities. These organizations are also designed to be cross-functional in nature, not siloed to information security or technology practitioners. Often, department heads from finance, HR, sales, legal, and others are representatives. Cross-functional representation helps drive organizational change and socialization of information security initiatives.

Typical duties include:

  • Attendance to Quarterly Risk Management meetings (Quarterly is usually a good cadence that is no overly burdensome on members)
  • Defining the risk management process, including risk analysis, risk measurement, and risk treatment
  • Overseeing the annual risk assessment, including periodically reviewing the risk register
  • Reviewing, approving, socializing, and enforcing policy decisions across the organization
  • Reviewing results of security assessments and other security-related activities
  • Charged with Incident Management and Incident Response (often, this is a sub-committee or separate team under the risk management function)

3) Internal Audit

A key philosophical principle of ISO 27001 is Management’s commitment to continuous improvement. Internal audit is a key part of monitoring and driving continuous improvement of your security program. Because internal audit must be both qualified and independent of the ISMS, many organizations choose to leverage third parties (like risk3sixty) to perform security assessments.

Typical duties include:

  • Internal audit must be qualified (e.g., an ISO 27001 Lead Auditor, or similar) to perform a security assessment
  • Independent from the ISMS (e.g., No conflict of interest such as operating controls or governing the ISMS).
  • Creating an annual audit plan
  • Executing against the audit plan (e.g., Performing audits of the ISMS and 114 ISO 27001 Annex A controls)
  • Reporting results to management
  • Note: Read clause 9.2 of ISO 27001

4) Control Owners

Control owners are the individuals responsible for operation of the various tasks and duties that make up the security program. Many of these duties our defined by the 114 controls outlined in ISO 27001 annex A. These roles will vary widely from organization to organization, but it is critical that an organization take the time to define these duties and periodically measure their performance.

Typical duties include:

  • Secure engineering, development, and operations (devops)
  • Security operations such as vulnerability management, intrusion monitoring, and active defense
  • Network Engineering and perimeter support
  • Availability of systems including back-up and restoration
  • Note: Read ISO 27001 Annex A for typical security controls and categories

5) All Employees

It must be emphasized that all employees play a critical role when it comes to information security. (It is of note that countless studies site end users as the most common origin of security incidents.)

Typical duties include:

  • Basic end-user security awareness training (e.g., Email Phishing, Internet Browsing)
  • Training on the do’s and don’ts based on their role (for example, a person in finance should understand never to change the routing number of a client’s bank account based on an email request)
  • Training based on regulatory or contractual requirements such as GDPR or Sarbanes Oxley

Let’s Get Started

If your organization is considering ISO 27001 certification or building a world-class security program our team can help. Over the last 3 years our team has 100% certification success rate and 100% client retention. If you want to know more, you can begin by reading our whitepapers on ISO 27001 here or reaching out to one of our professionals for more information here.


Share to


Share to

Like our content? Subscribe and stay informed.