ISO 27001:2022 Requirements: Clause 5.3 Organisational Roles, Responsibilities and Authorities

This version of clause 5.3 is applicable to both ISO 27001:2022 and ISO 27001:2013.

The involvement of the organisation's top management is an essential part of the standard and critical for information security. Top management must establish and communicate clear roles and responsibilities for the ISMS to carry out the functions of information security.

Top management and senior leadership do not necessarily need to appoint new staff to fulfil these roles; instead, the responsibilities just need to be clearly allocated to the relevant people. This could be a CTO or a CISO (Chief Information Security Officer), but is not limited to C-suite or senior management roles. It just needs to be made clear who is responsible for what, both from strategic and practical implementation points of view. For example, a senior or middle manager could have responsibility for the ISMS, with a more junior member of staff handling the hands-on, day-to-day implementation.

The standard essentially requires the top management to assign the responsibility and authority to ensure all the requirements of the ISMS are met and to report on the performance of the ISMS.

The successful implementation of clause 5 will provide accuracy, support and guidance from top management.