Expert Advice Community

Guest

Control owners

  Quote
Guest
Guest user Created:   Jan 05, 2019 Last commented:   Jan 05, 2019

Control owners

Can an organisation assign owners to the controls annex a of ISO 27001, for example, human resources security, could the owner be the director of HR? Idea is that the owner will be responsible for preparing the standard and process for each control.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 05, 2019
Alternatively, should the annex a controls and implementation be owned by the Head of IT/information security?

Answer:

You can assign owners to controls applicable to your organization, but for small and mid-size companies this role is normally assumed by the risk owner, the one who is accountable for managing a risk. For small and mid-size companies the number of treated risks normally allows the risk owners also to be control owners, but when the number of risks is too high, or controls are used to treat multiple risks, assigning control owners may be a better approach, since the control owner will have a comprehensive view of how controls are used against multiple risks, while the risks owners can focus on keeping the risks on acceptable levels.

Considering your alternative, since inf ormation security controls can cover much more then IT-related controls, then the best approach would be for the controls to be owned by the Head of information security. Again, if the number of controls is too high, then you can split responsibilities considering people competencies.

This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jan 04, 2019

Jan 04, 2019

Suggested Topics