Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex 5.2: Information Security Policies (2022)

Annex 5.2 of the 2022 version of the ISO27001 standard can be mapped to ISO27001:2013 Annex 6.1.1.

Annex 5.2 of the ISO27001:22 standard outlines the need to establish who is responsible for initiating and controlling information security within an organisation. This framework is an essential component of any information security management system (ISMS).

All personnel with roles and responsibilities that relate to the ISMS should be listed within organisational documentation. These responsibilities may be broad or focused, dependent on the individual’s role within the organisation and the size of the organisation itself.

Within larger organisations it is common for personnel to be hired to fulfil roles that require significant information security responsibility.

The purpose and requirements of Annex 5.2

Within an organisation, employees have a range of responsibilities that require them to handle company information and process data. The aim of defining information security roles and responsibilities is to attribute ownership for information assets and identify how a designated owner should apply their responsibility on a daily basis.

The size and setup of an organisation will influence how and why roles and responsibilities are attributed – whether they are general responsibilities or specific duties such as handling payment card information or customer data.

The robustness of an information security system is reliant on clear attribution of responsibility and clear lines of communication between personnel – from chief information security officer (CISO) to mid-level system owners and department heads.

During an audit of information security, the clarity of these roles and responsibilities will be scrutinised to ensure that an organisation has defined functions in an adequate and practical way. This can be documented in a table or organisation chart that details information security accountabilities for relevant personnel or job roles.

Where necessary, training should be provided to employees with responsibility for managing information or processing data.