Position Description Question
I wanted to touch base with you about a quick question. This is about ISO27001 control regarding stipulating Information Security obligations in Position Descriptions.
We are an ISO-27001:2013 compliant company and we have generic Info Sec roles and responsibilities articulated in our Position Description.
I wanted to know if there is a need to articulate role-specific Info Sec roles and responsibilities as well in PD’s. For example, a Backup Engineer’s Info Sec roles and responsibilities would be different than that of a Network Engineer. Some views in our company are that it would be overkill as ISO doesn’t mandate going into such details.
Assign topic to the user
ISO 27001 does not prescribe how to define information security roles and responsibilities, so organizations are free to define them as best fit their needs, i.e., either as roles and responsibilities included in an existing Position Description that performs some information security activities (e.g., the Network Engineer) or as roles and responsibilities in a new Position Description on which information security is the core activities (e.g., the Chief Information Security Officer).
Considering your example, in small and midsized businesses, a Network Engineer can perform information security activities (e.g., backup), then roles and responsibilities can be included in this Position Description. In bigger companies, it may be required that you have a specific role to perform a backup, so a Backup Engineer may be a required Position Description.
This article will provide you with further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
Comment as guest or Sign in
Sep 18, 2022