Expert Advice Community

Guest

Annex A control owners

  Quote
Guest
Guest user Created:   Jan 08, 2019 Last commented:   Jan 08, 2019

Annex A control owners

Would you be able to provide suggested owners for each of the controls in Annex A? For example Head of IT, Legal, HR?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 08, 2019

Answer:

Controls are implemented in terms of policies, procedures and technologies, which many times involve the application of several controls, so it makes more sense to define owners for these elements than for each control of the standard.

In general, Top Management own policies and procedures that are systematically applied to the organization (e.g. Information Security Policy and Information Classification Policy), policies and procedures which focus on people behavior (e.g., Acceptable Use Policy, and Disciplinary Process) are owned by Head of HR, policies, procedures, and technologies which focus on IT-related technologies (e.g., Backup Policy) are owned by Head of IT, policies, procedures, and technologies which focus on physical or non IT-related technologies (e.g., physical access control) are owned by Head of Operations or similar role, and policies and procedures focused on legal compliance are owned by He ad of Legal (e.g. controls from section A.18.1). For small and mid-sized organizations which do not have so many roles the person responsible for information security is the one who owns the controls.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 08, 2019

Jan 08, 2019

Suggested Topics

Guest user Created:   Jan 05, 2019 ISO 27001 & 22301
Replies: 1
0 0

Control owners

Guest user Created:   Dec 22, 2016 ISO 27001 & 22301
Replies: 1
0 0

Risk owners empowerment

Guest user Created:   Jun 16, 2021 ISO 27001 & 22301
Replies: 1
0 0

Filling documents