Section 6
Roles and Responsibilities
CISO / Information Security Manager
Clauses 5.3, 6, 7, 8, 9, 10Responsibilities
- •Owns the ISMS day to day
- •Maintains policies, risk register, SoA and Risk Treatment Plan
- •Coordinates internal audits, incident response and management reviews
- •Reports on ISMS performance to top management
Required competencies
- •Knowledge of ISO/IEC 27001:2022 and ISO/IEC 27002:2022
- •Risk management (e.g. ISO 27005)
- •Security architecture and operations
- •Audit and communication skills
Risk Owner
Clauses 6.1.2, 6.1.3, 8.2, 8.3Responsibilities
- •Accountable for a specific risk and its treatment
- •Approves the residual risk
- •Ensures controls are operating effectively in their area
Required competencies
- •Authority and budget for the risk area
- •Understanding of business impact
- •Familiarity with the risk methodology
Asset Owner
Controls 5.9, 5.10, 5.12, 5.15Responsibilities
- •Maintains the asset record and its classification
- •Authorises access to the asset
- •Ensures associated controls are implemented and monitored
Required competencies
- •Authority over the asset
- •Understanding of its business value and dependencies
Internal Auditor
Clause 9.2Responsibilities
- •Plans and executes the internal audit programme
- •Reports findings objectively to management
- •Verifies effectiveness of corrective actions
Required competencies
- •Independence from the audited area
- •Knowledge of ISO/IEC 27001:2022
- •Auditing skills (e.g. ISO 19011)
Top Management Sponsor
Clauses 5.1, 5.2, 5.3, 9.3, 10Responsibilities
- •Approves the policy and information security objectives
- •Allocates resources and authority to the ISMS
- •Reviews ISMS performance and decides on improvements
Required competencies
- •Strategic understanding of the business
- •Authority to allocate resources
- •Visible commitment to information security