Who is accountable and responsible for applications and for the operating system
Assign topic to the user
Answer:
ISO 27001 doesn't distinguish between persons accountable and person responsible for assets - the only thing that is required by the standard is to define the asset owners, who are responsible for those assets (control A.8.1.2).
In your case, there are different options possible:
a) That the same person or organizational unit is owner of the server and of all applications
b) That one person or organizational unit is owner of the server, and other person/unit is the owner of all applications
c) That one person/unit is responsible for the ser ver, and that each application has different owner
For each change process, it is crucial that one person approves the change (e.g. Head of IT department), and that the other person executes the change (e.g. the IT administrator). This is one of the reasons why it is much better to have persons as asset owners, not organizational units.
Comment as guest or Sign in
Apr 27, 2016