Question about Annex 6.1
I came across a problem
There is no document to mentioned Annex A 6.1 Internal organization instead of A6.1 Bring your own Device under folder 08_Annex_A_Security_Controls
Would you please give us some suggestion
Assign topic to the user
The definition of general roles and responsibilities for information security is made on the Information Security Policy template, which you can find in folder 04 Information Security Policy of your ISO 27001 & ISO 22301 Premium Documentation Toolkit.
Regarding specific roles and responsibilities for information security, they are defined through all documents in the toolkit. If you note, every time an activity is defined, it is also required the definition of a “Job Title” or person to perform that activity.
These articles will provide you a further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
I found the similar requirements repeated in the standard & Annex. So you mean I can mention this role & responsbility / Job Description/ Postion Description once in the documentation. That's enough and fulfill the requirement of ISO 27001
Please note that you need to define a role responsibility whenever required in the document, not once. In our templates, you can easily identify where the definition of a role responsibility is required by the use of the expression job title between brackets ([job title]). Depending on the stated action you can define different job titles as responsible.
This approach is enough to fulfill the requirement of ISO 27001.
Comment as guest or Sign in
Nov 13, 2020