Plain-language meaning
Roles and responsibilities define who is accountable for information security activities, who performs them, who approves them, and who must be consulted or informed.
For ISO/IEC 27001 study, link this concept back to A.5.2 Information Security Roles and Responsibilities. That control note is the detailed Annex A note for assigning, communicating, and maintaining security responsibilities.
Practical use
Use this concept when building RACI matrices, control owner registers, audit interview plans, supplier responsibilities, access approval workflows, and management review inputs.
Exam cue
Responsibility and accountability are related but not identical. Responsibility is about doing the work; accountability is about being answerable for the outcome.
Related notes
- Iso27001
- Isms
- Fundamentals
- Roles and responsibilities
Note Metadata
Aliases: Information Security Roles and Responsibilities
Source: 01 Fundamentals/Roles and Responsibilities.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Segregation of Duties
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- A.6 People Controls MOC
- ISMS Implementation Roadmap
- ISO 27005 Risk Process Notes
- EXAM-005 - Responsibility vs Accountability
- Template - Control Owner Register
- Personnel Security Responsibility Acknowledgement
- Template - RACI Matrix
- Role-Based Security Training Matrix
- ISO 27001 Overview