Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
Information security roles and responsibilities must be defined and allocated according to organizational needs.
Plain-language meaning
People must know what they are responsible for, and the organization must be able to prove those responsibilities were assigned, communicated, accepted, and kept current.
This control is not just about appointing a CISO. It applies to:
- employees;
- contractors;
- temporary workers;
- third-party users;
- managers;
- technical administrators;
- asset owners;
- process owners;
- risk owners;
- outsourced service providers.
Core idea
The organization must clearly define:
- who owns information security overall;
- who owns specific assets;
- who owns risks;
- who approves access;
- who monitors systems;
- who handles incidents;
- who manages third parties;
- who performs reviews;
- who maintains policies;
- who reports issues;
- who has authority to make security decisions.
A common failure is assuming “security belongs to the security team.” That does not scale.
Role, responsibility, accountability, authority
| Concept | Meaning | Example |
|---|---|---|
| Role | The position or function someone performs | System owner, asset owner, CISO |
| Responsibility | The task or duty assigned to a role | Review access every quarter |
| Accountability | The person ultimately answerable for the outcome | Business owner accountable for access to their application |
| Authority | The right to make decisions or approve actions | Approve privileged access, accept risk, approve exceptions |
Important rule:
Responsibility can be delegated, but accountability remains with the accountable owner unless formally reassigned.
Why this matters
Unclear responsibilities create gaps.
| Weak responsibility definition | Result |
|---|---|
| “IT handles access.” | Business owners may not review whether users still need access |
| “Security handles incidents.” | Employees may not know how to report suspicious activity |
| “Vendors manage the system.” | No internal person verifies supplier obligations |
| “Everyone is responsible for security.” | True but too vague; nobody may own specific actions |
The phrase “everyone is responsible for security” is not enough. It must be supported by specific role-level responsibilities.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Assign overall responsibility for information security
There should be a person or function responsible for information security, such as:
- Chief Information Security Officer;
- Head of Information Security;
- ISMS Manager;
- Security Officer;
- Information Security Lead.
In smaller organizations, this may be part-time or combined with another role. That can be acceptable if responsibilities are clear and conflicts of interest are managed.
2. Separate security leadership from risk ownership
The person responsible for information security may not be the same as the person who owns information risk.
| Role | Typical responsibility |
|---|---|
| CISO / Security Manager | Maintains ISMS, governance, control framework, reporting, monitoring |
| Business Risk Owner | Accepts or treats risks affecting their business process |
| Asset Owner | Ensures assets are classified, protected, and used appropriately |
| System Owner | Ensures a system is operated and controlled securely |
The CISO should not be forced to own every business risk. Security can advise and challenge, but business owners should own risks in their area.
3. Define baseline responsibilities for all personnel
All employees, contractors, and third-party users should have basic security responsibilities.
Examples:
- follow information security policies;
- protect credentials;
- report suspected incidents;
- use company systems appropriately;
- protect confidential information;
- complete required training;
- comply with classification and handling rules;
- avoid unauthorized software or data sharing;
- follow clean desk, remote work, and acceptable use requirements.
Baseline responsibilities may be documented in:
- job descriptions;
- employee handbook;
- employment contracts;
- acceptable use policy;
- onboarding materials;
- annual policy acknowledgement;
- security awareness training.
4. Define detailed responsibilities for special roles
Some roles need more detail because they have elevated access or direct control over important systems.
| Role | Specific responsibilities needed |
|---|---|
| System administrator | Manage privileged access, apply patches, monitor system health, follow change management |
| Network administrator | Secure network devices, maintain firewall rules, monitor network events |
| Developer | Follow secure coding standards, remediate vulnerabilities, protect source code |
| HR manager | Ensure joiner/mover/leaver processes and disciplinary processes |
| Asset owner | Classify assets, approve access, define protection requirements |
| Risk owner | Review, treat, and accept risks within authority |
| Incident response team member | Follow response process, preserve evidence, escalate appropriately |
| Procurement/vendor manager | Ensure supplier security requirements are included and monitored |
| Security analyst | Monitor alerts, investigate events, escalate incidents |
| Privacy/legal role | Advise on regulatory and contractual obligations |
For these roles, general statements are not enough.
5. Communicate responsibilities
Responsibilities should be communicated through:
- onboarding;
- job descriptions;
- contract terms;
- security training;
- policy acknowledgement;
- team briefings;
- role-specific training;
- procedure walkthroughs;
- performance objectives;
- third-party onboarding.
6. Keep responsibilities consistent with policies and procedures
Responsibilities in policies, procedures, job descriptions, RACI matrices, and contracts must not conflict.
Example of conflict:
| Document | Responsibility stated |
|---|---|
| Access Control Policy | Business owner approves access |
| Joiner/Mover/Leaver Procedure | IT approves access |
| Job description | HR approves access |
Better model:
| Role | Responsibility |
|---|---|
| Manager | Requests access based on business need |
| Business/system owner | Approves access |
| IT | Implements approved access |
| Security | Monitors privileged access and exceptions |
| HR | Triggers joiner/mover/leaver process |
7. Update responsibilities when roles change
Examples:
| Change | Required action |
|---|---|
| Employee becomes manager | Add team compliance and access approval responsibilities |
| Developer moves to production support | Add change management and privileged access responsibilities |
| Contractor becomes system admin | Add privileged access, logging, and admin duties |
| New incident response member appointed | Provide incident response training |
| New vendor owner assigned | Update supplier security responsibility |
Changes should be communicated promptly and supported with appropriate training.
8. Manage delegation correctly
Delegation must be explicit and verified.
Define:
- what is delegated;
- to whom;
- for how long;
- what authority is included;
- what reporting is required;
- how completion is verified.
Bad delegation:
Security is handling it.
Better delegation:
The Infrastructure Manager is responsible for remediating critical server vulnerabilities within the agreed SLA. The Head of IT remains accountable for remediation performance and reports status monthly to the risk committee.
9. Include contractors and third parties
Temporary employees, contractors, and third-party users must have defined security responsibilities.
This may be handled through:
- contracts;
- statements of work;
- supplier security schedules;
- onboarding packs;
- acceptable use agreements;
- NDAs;
- access agreements;
- third-party security requirements;
- SLAs;
- incident notification clauses.
Accountability problems to watch for
Overlapping responsibility without primary accountability is dangerous.
| Control activity | Bad ownership | Better ownership |
|---|---|---|
| Access reviews | IT and business teams | Business owner accountable; IT supports evidence extraction |
| Vulnerability remediation | Security and infrastructure | Infrastructure owner accountable; security monitors and reports |
| Incident response | IT/security/legal | Incident manager accountable; defined roles for each function |
| Supplier monitoring | Procurement and security | Vendor owner accountable; procurement/security support |
| Backup testing | IT operations | Service owner accountable; backup admin performs test |
Shared responsibility is normal. Shared accountability is dangerous unless one owner is primary.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors check whether responsibilities are:
- defined;
- allocated;
- documented;
- communicated;
- understood;
- current;
- consistent;
- accepted;
- applied to employees, contractors, and third parties.
Audit tests
| Audit area | What to check | Example evidence |
|---|---|---|
| Overall security responsibility | Has someone been appointed to lead information security? | CISO appointment, org chart, job description |
| Role-level responsibilities | Are security responsibilities defined for relevant roles? | Job descriptions, RACI, role profiles |
| General staff responsibilities | Do all personnel have basic security duties? | Employee handbook, policy acknowledgement |
| Special role responsibilities | Are high-risk roles documented in detail? | Admin job description, incident team charter |
| Awareness | Do personnel understand responsibilities? | Interviews, training records |
| Acceptance | Have responsibilities been acknowledged? | Signed job descriptions, contract clauses |
| Consistency | Do policies, procedures, and job descriptions align? | Cross-check documents |
| Currency | Are documents current? | Version history, review date |
| Changes | Are responsibility changes communicated and trained? | Addenda, LMS records |
| Delegation | Are delegated tasks tracked and verified? | Delegation records, task logs |
| Third parties | Are contractor/vendor responsibilities defined? | Contracts, SOWs, access agreements |
| Accountability | Is there a clear accountable owner for key activities? | RACI, control owner register |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control or process operated for real cases.
- Approved information security organizational structure.
- Named CISO, ISMS Manager, or security owner.
- Job descriptions include security responsibilities.
- Privileged roles have specific security duties.
- Employees have acknowledged policies and responsibilities.
- Contractors have signed acceptable use and confidentiality obligations.
- Third-party contracts include security responsibilities.
- RACI matrix defines accountable owners for key ISMS processes.
- Access control, incident management, supplier management, and risk responsibilities are consistent across documents.
- Role changes trigger updated responsibilities and training.
- Security objectives included in performance reviews for relevant roles.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.
- “Everyone knows what to do.”
- Security responsibilities exist only in a generic policy.
- No named owner for information security.
- CISO owns everything, including business risk acceptance.
- Contractors have system access but no documented responsibilities.
- Job descriptions are outdated.
- Responsibilities in policy conflict with procedures.
- No evidence employees received or accepted responsibilities.
- Multiple teams are listed as responsible, but no one is accountable.
- Outsourced provider is responsible for controls, but no internal owner manages the provider.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| No accountable control owners | Controls may not operate or be evidenced |
| Too much assigned to security team | Business risk ownership becomes weak |
| Contractors excluded | Third-party users may create unmanaged risk |
| Old job descriptions | Responsibilities may not reflect current access or systems |
| Delegation not tracked | Accountable owners cannot prove work was completed |
| Overlapping duties | Everyone assumes someone else did it |
| Role changes not reflected | New responsibilities may be missed |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Only the security team needs defined responsibilities — wrong.
- Appointing a CISO alone satisfies the control — wrong.
- Delegating responsibility transfers accountability — wrong.
- Contractors and temporary workers are exceptions — wrong.
- General statements are enough for high-risk roles — wrong.
- Shared responsibility means shared accountability — risky and usually weak.
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.2 requires security roles and responsibilities to be defined, allocated, communicated, accepted, and kept current. Baseline responsibilities apply to all personnel, while high-risk roles need specific documented responsibilities. Delegated tasks must be verified, accountability must remain clear, and contractors and third parties must be included.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Roles
- Responsibilities
- Audit
Note Metadata
Aliases: A.5.2, Information Security Roles, Security Responsibilities
Source: 02 Annex A Organizational Controls/A.5.2 Information Security Roles and Responsibilities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
6
links
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO27001 ISMS KB - Start Here
- Management Responsibilities
- Roles and Responsibilities
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- A.5.2 vs A.5.4 Comparison
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- A.5.2 Audit Evidence Pack
- AQ-ISO27001-A.5.2 Information Security Roles and Responsibilities
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.2 Information Security Roles and Responsibilities
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-005 - Responsibility vs Accountability
- ISO 27002 Annex A Control Interpretation Map
- Template - A.5.2 Audit Checklist
- Template - Control Owner Register
- Template - Information Security Role Definition
- Template - RACI Matrix
- Template - Role and Responsibility Interview Questions
- Template - Security Responsibilities Addendum
- Annex A Controls MOC