Download our comparison guide between ISO 9001 and ISO 27001
If you want to learn more about how ISO 27001 compares to ISO 9001, along with additional information, download our detailed guide today.
.jpg?ext=.jpg)
Two Surprising ISO 27001 Roles
This blog post focuses on the second control of ISO 27001 Annex A, which deals with defining what roles need to be involved in ISO 27001 and how that involvement should roll out. Remember, it is important to purchase a copy of the actual ISO 27001 standard as you move toward compliance.
It is easy to assume that IT professionals are the only ones who need to participate in the ISO 27001 compliance journey. After all, ISO 27001 focuses on information security. In fact, however, ISO 27001 helps improve information security management in part because it requires buy-in from the entire organization. In order to earn ISO 27001 certification an organization needs to define how different roles in the company will participate in protecting information. Here are three examples of how to establish these roles and responsibilities in your organization.
Needless to say, IT professionals do tend to carry the majority of the ISO 27001 responsibilities. In very large companies there may be a person strictly in charge of the technical aspect of information security while another person may undertake responsibilities tied to risk management.
Senior Leadership
ISO 27001 not only requires senior leadership to accept the importance of the certification, it also requires senior leadership to participate. At a minimum, it is a good idea to assign senior leaders with the responsibility of approving the security policies necessary for ISO 27001 compliance. Leadership may help promote cybersecurity training sessions and help ensure all employees participate. Senior leaders likely will also take on the role of resource management, making sure everyone has what they need in order to secure information properly. The size of the company will determine the responsibilities of senior leadership to a certain extent. If there is only one IT manager, for example, senior leadership may fill the role of supporting IT activities. This is not likely to happen in much larger companies.
Human Resources
Again, depending on the size of the company and available HR personnel, Human Resources can assist in numerous ways in the journey toward ISO 27001 compliance. Among the responsibilities HR may undertake include helping ensure new hires receive cybersecurity training, helping to assign and manage access control, and conducting background checks.
Document and Communicate
Just like with security policies, the last and most important steps are to document the roles and responsibilities and make sure everyone in the company is aware of the role they must play in ISO 27001 compliance. Defining roles and responsibilities for ISO 27001 compliance should not be based on individuals but rather on the role title. These should not change as personnel changes.
Questions?
Do you have questions about your ISO 27001 compliance journey? Are you ready for a pre-assessment or an official audit? Contact us today!