Annex A control owners
Assign topic to the user
Answer:
Controls are implemented in terms of policies, procedures and technologies, which many times involve the application of several controls, so it makes more sense to define owners for these elements than for each control of the standard.
In general, Top Management own policies and procedures that are systematically applied to the organization (e.g. Information Security Policy and Information Classification Policy), policies and procedures which focus on people behavior (e.g., Acceptable Use Policy, and Disciplinary Process) are owned by Head of HR, policies, procedures, and technologies which focus on IT-related technologies (e.g., Backup Policy) are owned by Head of IT, policies, procedures, and technologies which focus on physical or non IT-related technologies (e.g., physical access control) are owned by Head of Operations or similar role, and policies and procedures focused on legal compliance are owned by He ad of Legal (e.g. controls from section A.18.1). For small and mid-sized organizations which do not have so many roles the person responsible for information security is the one who owns the controls.
Comment as guest or Sign in
Jan 08, 2019