Expert Advice Community

Guest

Toolkit content

  Quote
Guest
Guest user Created:   Jan 22, 2019 Last commented:   Jan 24, 2019

Toolkit content

1. I've been alerted of a possible missing document in the the 27001 toolkit, titled "Definition of security roles and responsibilities" and deemed as mandatory. I actually didn't find it. Can you please kindly check?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 22, 2019

Answer: The definition of general roles and responsibilities for information security is made on the Information Security Policy template, which you can find at folder 04 Information Security Policy of your ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit.

Regarding specific roles and responsibilities for information security, they are defined through all documents in the toolkit. If you note, every time an activity is defined, it is also required the definition of a "Job Title" or person to perform that activity.

2. Whether the control A.7.1.2 can be applied to roles and responsibilities delegated to the CIO, the CISO, or even CEO. Can that be assumed?

Answer: Besides the Information Security Policy template, and the definitions of roles and responsibilities through all documents in the toolkit, the appl ication of control A.7.1.2 - Terms and conditions of employment is also a way to define roles and responsibilities not only to the CIO, the CISO, or CEO, but to all parties involved with information security, like employees and outsourced personnel.

These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
Quote
0 0
Expert
Dejan Kosutic Jan 24, 2019
We have received futher question:

> The matter is still confused to me. The source of the information for the possibly missing document is this link: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
> At the above link you can read this line in the paragraph of mandatory document: “Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)” The Information Security Policy template doesn't mention in its references the clauses A.7.1.2 and A.13.2.4, so it cannot be the template covering these clauses. Clause 5.3 is cited instead, and it is clearly related to the definition of roles and responsibilities. It also appears that clause 5.3 is completely on a different topic that missing clauses A.7.1.2 and A.13.2.4. Can you please clarify the matter?

Answer: I'm sorry about this confusion. Here are the answers:
- Clause A.7.1.2 is covered in documents "Confidentiality statement" (toolkit folder 08 - A.7 Human Resources Security) and "Security Clauses for Suppliers and Partners" (toolkit f older 08 - A.15 Supplier relationships)
- Clause A.13.2.4 is covered in document "Confidentiality statement" (toolkit folder 08 - A.7 Human Resources Security)

The two documents above describe general roles and responsibilities; as my colleague has described above, each of our policies and procedures further enable the definition of detailed roles and responsibilities.

By the way, in the root folder of the toolkit you'll find a document called "List of documents" which specifies which clauses of the standard are covered with which toolkit document.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 22, 2019

Jan 24, 2019

Suggested Topics

Guest user Created:   Sep 11, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   May 28, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Mar 11, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content