Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?

 In case the segregation of duties is needed, our recommended approach is to define the segregation in the specific documents where it is required (e.g., policies and procedures), instead of using a single document to centralize the segregation you need. This way people will focus on the specific documents they need to follow, instead to consult multiple documents. This also decreases the administrative effort to manage documents and the risk of information inconsistency.

As an example of segregation of duties directly in the document, I can mention the backup policy, where you can define that one person is responsible for creating backups and another person is responsible for testing them. Another example is the document control procedure, where you can define that one person is responsible for creating documents and another person is responsible for approving them.

For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

2. Who is responsible for the drafting of the Cyber Security Management policy?

 ISO 27001 does not prescribe who must elaborate required documents, so you can define any person your organization sees fit, provided he/she has the proper competence to do so (by means of experience, training or acquired knowledge). Considering this specific document, and if you have these roles in your organization, the responsible person may be the information security responsible or the IT responsible.

For further information, see:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

3. What defines a small to medium business the no. of people or geographical or both?

The most general parameters used to define the size of an organization are number of employees and its complexity, which can be evaluated by items like its internal processes and geographical distribution (e.g., sometimes an organization has few employees, but if they are working from remote locations, it is more complex to manage than an organization with more employees that work in the same location).

For the purposes of our toolkit, it was developed considering small to medium business companies up to 500 employees.