Appointment letters
Hello Dejan. we've created an ISO Team for our ISO 27001:2013 implementation project. That being said, is it required for our HR to issue us appointment letters given that the ISO Team members' responsibilities are different from their typical job? For example, we've trained some of our employees to become Internal Auditors but their original responsibilities do not include auditing (Finance Officers, etc).
Assign topic to the user
During the implementation phase, the definition of responsibilities inside the project team structure would be enough (i.e., a project document defining who is the project manager, who are the team members, tasks to be performed and who is responsible for them, etc.).
After the implementation, it may be necessary to update the documents you use to define roles, responsibilities, and required competencies (e.g., job descriptions, policies, procedures, training plans, etc.). In general, these documents are identified and updated during the implementation phase.
These articles will provide you a further explanation about definitions of roles and responsibilities:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
Comment as guest or Sign in
Sep 07, 2020