Team in charge of implementation and maintenance of the ISMS
We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".
We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.
We don't want only one person to approve this, whether it is the IT manager or the CTO.
We are a 50-user *** company.
It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.
We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation.
Do you think that is a good idea?
Is it in-line with the standard?
If so, is it best described in "05_Information_Security_Policy_27001_EN"?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
From your question it is not clear whether you are asking about responsibilities for approving policies and procedures, or for responsibilities that are specified in information security documents.
1) Responsibilities for approving policies and procedures:
In smaller companies, one person usually approves documents, while there are usually 2 or 3 persons that are reviewing the documents before they are sent for approval.
2) Responsibilities specified in information security documents:
In the top-level Information Security Policy you should define:
- one person in charge of coordinating the ISMS
- one sponsor from the top management team
For detailed policies like Backup Policy or Access Control Policy, different people will have different responsibilities - e.g., the person in charge of doing the backup might be a different person from the one in charge of approving access.
The standard allows collective decision-making, however having a 3-person committee that decides about everything is impractical.
For further information, see:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
Comment as guest or Sign in
May 18, 2023