Skip to main content

A.5.2 Information Security Roles and Responsibilities

Purpose

The purpose of this procedure is to clearly define the roles and responsibilities related to information security within the organization, ensuring that every employee understands their role and contributes to effective security risk management.

Scope

This procedure applies to all organizational employees, including management, staff, subcontractors, and external suppliers working with the organization's information systems.

Definitions

  • Information Security Role: A defined role within the organization that includes direct or indirect responsibility for information security.
  • Information Security Responsibility: The duties and rights of an employee or role holder in the organization regarding the confidentiality, integrity, and availability of information.

Responsibility

  • Organization Management:

    • Responsible for allocating resources and supporting roles related to information security.
    • Defines the security policy and determines the responsibilities of each role.

  • Information Security Officer:

    • Responsible for developing, managing, and distributing the information security policy.
    • Ensures that all role holders are aware of their responsibilities and roles concerning information security.

  • Unit Managers:

    • Responsible for implementing information security procedures in their units and ensuring compliance.
    • Ensure that every employee in their unit is aware of their role and responsibility regarding information security.

  • Organizational Employees:

    • Responsible for acting in accordance with information security procedures and protecting the information they encounter in their role.
    • Must report any concerns or security incidents to the Information Security Officer.

Process

1. Defining Information Security Roles

  • The organization's management, in coordination with the Information Security Officer, will define the key roles related to information security, including responsibilities, authorities, and rights.

2. Allocating Roles and Responsibilities

  • Every employee in the organization will be assigned specific roles and responsibilities related to information security, based on their organizational role and area of operation.

3. Training and Education

  • The organization will provide training for employees and managers regarding their roles and responsibilities for information security, including regular updates on new procedures and changes to the security policy.

4. Monitoring and Review

  • The Information Security Officer will conduct periodic checks to ensure that all employees are aware of and implementing their responsibilities related to information security.

5. Reporting and Exceptions

  • Every employee is required to report to the Information Security Officer any suspected violation of security procedures or any uncertainty regarding their role or responsibility.

Notes

  • The organization will conduct periodic compliance surveys to ensure that all role holders are fulfilling their information security responsibilities effectively.
  • Information security procedures will be part of the employment agreement for all new hires and will be clarified during their initial training.