Control owners
Assign topic to the user
Alternatively, should the annex a controls and implementation be owned by the Head of IT/information security?
Answer:
You can assign owners to controls applicable to your organization, but for small and mid-size companies this role is normally assumed by the risk owner, the one who is accountable for managing a risk. For small and mid-size companies the number of treated risks normally allows the risk owners also to be control owners, but when the number of risks is too high, or controls are used to treat multiple risks, assigning control owners may be a better approach, since the control owner will have a comprehensive view of how controls are used against multiple risks, while the risks owners can focus on keeping the risks on acceptable levels.
Considering your alternative, since inf ormation security controls can cover much more then IT-related controls, then the best approach would be for the controls to be owned by the Head of information security. Again, if the number of controls is too high, then you can split responsibilities considering people competencies.
This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Comment as guest or Sign in
Jan 04, 2019