Toolkit content

Answer: The definition of general roles and responsibilities for information security is made on the Information Security Policy template, which you can find at folder 04 Information Security Policy of your ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit.

Regarding specific roles and responsibilities for information security, they are defined through all documents in the toolkit. If you note, every time an activity is defined, it is also required the definition of a "Job Title" or person to perform that activity.

2. Whether the control A.7.1.2 can be applied to roles and responsibilities delegated to the CIO, the CISO, or even CEO. Can that be assumed?

Answer: Besides the Information Security Policy template, and the definitions of roles and responsibilities through all documents in the toolkit, the appl ication of control A.7.1.2 - Terms and conditions of employment is also a way to define roles and responsibilities not only to the CIO, the CISO, or CEO, but to all parties involved with information security, like employees and outsourced personnel.

These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

We have received futher question:

> The matter is still confused to me. The source of the information for the possibly missing document is this link: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
> At the above link you can read this line in the paragraph of mandatory document: “Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)” The Information Security Policy template doesn't mention in its references the clauses A.7.1.2 and A.13.2.4, so it cannot be the template covering these clauses. Clause 5.3 is cited instead, and it is clearly related to the definition of roles and responsibilities. It also appears that clause 5.3 is completely on a different topic that missing clauses A.7.1.2 and A.13.2.4. Can you please clarify the matter?

Answer: I'm sorry about this confusion. Here are the answers:
- Clause A.7.1.2 is covered in documents "Confidentiality statement" (toolkit folder 08 - A.7 Human Resources Security) and "Security Clauses for Suppliers and Partners" (toolkit f older 08 - A.15 Supplier relationships)
- Clause A.13.2.4 is covered in document "Confidentiality statement" (toolkit folder 08 - A.7 Human Resources Security)

The two documents above describe general roles and responsibilities; as my colleague has described above, each of our policies and procedures further enable the definition of detailed roles and responsibilities.

By the way, in the root folder of the toolkit you'll find a document called "List of documents" which specifies which clauses of the standard are covered with which toolkit document.