ISO 27001:2022 A 5.2 Information security roles and responsibilities

All information security and its responsibilities need to be defined and approved by the management. The responsibilities can be general (e.g. protecting information) or specific (e.g. the responsibility for accessing particular permissions). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Access to information security should be granted to relevant staff members for eg; CEOs, Business Owners, General Manager; HR managers; and Internal auditors. The auditor will be looking to gain confidence that the organization has made clear who is responsible for, and what is adequate according to the size and nature of the organization. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. To protect information security one can choose relevant authority with in the organisation to-hold the responsibly and implementing the process.

A.5.2 Information security roles and responsibilities


Information security roles and responsibilities should be defined and allocated according to the organization needs.


To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.

ISO 27002 Implementation Guidance

Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies. The organization should define and manage responsibilities for:

  1. protection of information and other associated assets;
  2. carrying out specific information security processes;
  3. information security risk management activities and in particular acceptance of residual risks (e.g. to risk owners);
  4. all personnel using an organization’s information and other associated assets.

These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Individuals with allocated information security responsibilities can assign security tasks to others. However, they remain accountable and should determine that any delegated tasks have been correctly performed.
Each security area for which individuals are responsible should be defined, documented and communicated. Authorization levels should be defined and documented. Individuals who take on a specific information security role should be competent in the knowledge and skills required by the role and should be supported to keep up to date with developments related to the role and required in order to fulfill the responsibilities of the role.

Other information

Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of risks and mitigating controls. However, responsibility for resourcing and implementing the controls often remains with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. Depending on the size and resourcing of an organization, information security can be covered by dedicated roles or duties carried out in addition to existing roles.

All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Information security is the responsibility of everyone at the organization. It is important to establish roles and responsibilities for staff, managers, and contractors/vendors so that everyone knows what is expected of them when handling information.Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the Organization.As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc. No matter what title is selected, there should be someone at the organization who can provide a high level of decision-making support to leadership when considering information security issues and solutions. It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation.

Here are some of the vital IT security roles and the responsibilities associated with them. Don’t be surprised that sometimes, different roles share some responsibilities.

1) Information Security Board of Review

The Information Security Board of Review (ISBR) may an appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance campus-wide. In collaboration with the Chief Information Officer (CIO), the ISBR’s specific oversight responsibilities include the following:

  • Oversee the development, implementation, and maintenance of a strategic information systems security plan.
  • Oversee the development, implementation, and enforcement of information systems security policy and related recommended guidelines, operating procedures, and technical standards.
  • Oversee the process of handling requested policy exceptions
  • Advise the management on related risk issues and recommend appropriate actions in support of the risk management programs.


A CISO (Chief Information Security Officer) is the one whose task is to oversee corporate security strategy. The typical CISO’s responsibilities include:

  1. Planning long-term security strategy
  2. Planning and implementing data loss prevention measures
  3. Managing access
  4. Ensuring that the company implements proper safeguards to meet compliance requirements
  5. Investigating any incidents and preventing them in the future
  6. Assessing security risk
  7. Arranging security awareness training

3) Security and Information Compliance Officers

The Security and Information Compliance Officers may oversee the development and implementation of the ISP. Specific responsibilities can include:

  • To ensure related compliance requirements are addressed, e.g., privacy, security, and administrative regulations associated with federal and state laws.
  • To ensure appropriate risk mitigation and control processes for security incidents as required.
  • To document and disseminate information security policies, procedures, and guidelines
  • To coordinate the development and implementation of a information security training and awareness program
  • To coordinate a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets.

4) Data Owner

A Data Owner is an individual or group or people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, location or administrative unit .The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, managers, supervisors, or designated staff. Responsibilities of a Data Owner include the following:

  1. Ensure compliance with Organizational polices and all regulatory requirements. Data Owners need to understand whether or not any Organizational policies govern their information assets. Data Owners are responsible for having an understanding of legal and contractual obligations surrounding information assets within their functional areas.
  2. Assign an appropriate classification to information assets. All information assets are to be classified based upon its level of sensitivity, value and criticality to the Organization.
  3. Determine appropriate criteria for obtaining access to sensitive information assets. A Data Owner is accountable for who has access to information assets within their functional areas. This does not imply that a Data Owner is responsible for day-to- day provisioning of access. Provisioning access is the responsibility of a Data Custodian.
  4. A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all staff members are permitted access to their own health benefits information. A Data Custodian should document these rules in a manner that allows little or no room for interpretation.
  5. Approve standards and procedures related to management of information assets.While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner’s responsibility to review and approve these standards and procedures. A Data Owner should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process.
  6. Understand how information assets are stored, processed, and transmitted.Understanding and documenting how information assets are being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Owner.
  7. Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets. Data Custodians should work with Data Owners to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Owner.
  8. Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets. Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that information assets are handled in a consistent manner and will also help ensure that safeguards are being effectively leveraged.
  9. Provision and de-provision access as authorized by the Data Owner. Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Owner.
  10. Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets. Data Custodians need to have a thorough understanding of security risks impacting their information assets. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching vulnerability’s in a system or application are both examples of security risks.
  11. Security risks need to be documented and reviewed with the appropriate Data Owner so that he or she can determine whether greater resources need to be devoted to mitigating these risks. Information Technology dept can assist Data Custodians with gaining a better understanding of their security risks.

5) Data Users

All users have a critical role in the effort to protect and maintain information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the who is authorized to access Information Systems and/or information assets. Responsibilities of data users include the following:

  1. Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
  2. Users are also required to follow all specific policies, guidelines, and procedures established with which they are associated and that have provided them with access privileges.
  3. Report actual or suspected security and/or policy violations or breaches to IT. During the course of day-to-day operations, users may come across a situation where they feel the security of information assets might be at risk. For example, a user comes across sensitive information on a website that he or she feels shouldn’t be accessible. If this happens, it is the users responsibly to report the situation.

6) Application Security Engineer

The job of an app security engineer has two major aspects. Firstly, you will need to help developers to create more secure apps. Secondly, you’ll need to control third-party apps used by your company and ensure their safety. Some of the typical responsibilities and tasks include:

  • Configuring technical security controls
  • Conducting an app risk assessment
  • Whitelisting/blacklisting apps
  • Performing penetration testing

For app security engineers, it’s vital to control SaaS apps and the risks related to them. Risky and insecure apps should be blacklisted. To automate the job and remain time-efficient, he will probably need specialized software that helps with app security assessment and whitelisting/blacklisting.

7) Data Protection Officer(DPO)

Having a DPO may be one of the compliance requirements. A DPO must be appointed in organizations working with large-scale systematic monitoring or processing of sensitive data. Officers oversee corporate data protection measures and their effectiveness. A specialist, appointed to the DPO role, controls whether corporate security is of a sufficient level to meet compliance requirements, and recommends security upgrades if needed. That’s why an in-depth understanding of data security and compliance are essential skills. The DPO orchestrates, manages, and supervises all the activities that are aimed at protecting users’ data and communicates the status to both internal and external parties. This includes:

  • Creating an effective step-by-step privacy program
  • Supervising the entire implementation process of the program at all stages
  • Assuring that all the data processes are being conducted
  • Reporting to the management, stakeholders, and all the parties involved on how the implementation process goes
  • Reporting to the management on the potential threats to data security and general integrity, and what can be done to eliminate them
  • Educating employees on the matters of data privacy and data protection
  • Training staff that is directly related to or involved in the data collection, processing, or storing
  • Keeping track of and recording all the operations that involve users’ personal data and the reasons for these operations to take place
  • Auditing the data processes to assess their performance and address possible problems proactively
  • Reporting on the progress of the implementation and maintenance of the data privacy program in the company to the authorities, stakeholders, and public/customers
  • Being a connective link between the organization and data subjects (users/customers). Communicating with data subjects on how their data are being handled, what rights do they have, and addressing all their requests concerning their data
  • Communicating with supervisors and being a connecting link between the organization and authorities

8)Network Security Engineer

As the name suggests, a network security engineer’s job is to protect corporate networks from data breaches, human error, or cyberattacks. Engineers are responsible for:

  • Configuring network security settings
  • Performing penetration testing
  • Developing and implementing sufficient measures to detect cyber threats
  • Implementing network security policies
  • Installing and maintaining security software like firewalls or backups
  • Also, a deep understanding of cloud security may be required.

9)Security Administrator

An IT security admin is a role that includes a wide range of skills and responsibilities to manage the protection of the company’s data. Some of the most common admin’s responsibilities include:

  • Managing access
  • Ensuring that data migration is secure
  • Configuring security software
  • Monitoring data behavior for abnormal activities
  • Implementing security policies
  • Testing company’s systems to locate potential risks and vulnerabilities
  • Reporting security statuses and incidents (if any)
  • Using software tools to automate some of the tasks

An admin’s role is more significant than it may seem at first glance. An admin has to keep the whole organization’s security landscape in mind and ensure that even the tiniest processes are executed correctly. After all, even one careless click may be enough to initiate a cyberattack.

10) Security Analyst

What is the role of an information security analyst? This role is related to protecting corporate information against cyber attacks and insider threats. Generally, an analyst has to determine potential risks and vulnerabilities inside the system, so a deep understanding of data security threats and ways to prevent them is a must. As a security analyst, your responsibilities will include:

  • Analyzing and configuring corporate systems to improve their security
  • Analyzing data loss prevention measures
  • Looking for system vulnerabilities and ways to fix them
  • Monitoring data behavior for abnormal activities
  • Verifying security, availability, and confidentiality of corporate data
  • Also, the security analyst’s role requires an understanding of white hat hacking to design more advanced protection against cyber attacks. Analysts often work together with security architects.

11) Security Architect

A security architect is one of the senior-level IT security positions. An architect is focused on creating a secure-by-design environment. Unsurprisingly, this position requires a solid understanding of network, app, and hardware security, as well as experience with various systems. Generally, an architect’s responsibilities include:

  • Assessing the system’s security controls and processes to find potential security gaps
  • Planning changes and upgrades for corporate IT infrastructure
  • Maintaining system integrity
  • Implementing insider threat control measures
  • Choosing new security software if needed
  • Implementing disaster recovery measures
  • Analyzing previous incidents and creating an incident response plan
  • Analyzing the costs and benefits of security solutions

Of course, the exact scope of your tasks as an architect will vary depending on each organization’s unique infrastructure and needs. Often, an architect needs to assess corporate systems for meeting security compliance standards to decide what changes are needed to become compliant.

12) Security Specialist

An IT security specialist is a person responsible for keeping corporate data safe. Security specialists maintain and upgrade systems and procedures to prevent data loss or leakage. IT specialists have many sub-specializations. Depending on a specific environment, an information security specialist will have a stronger focus on cloud, network, app, database or device security. In some cases, especially in small businesses, an IT security specialist is an all-rounder with responsibilities combining many cyber security roles at the same time. That’s why a security specialist must have strong IT skills and a deep understanding of both software and hardware—and, of course, an ability to locate potential vulnerabilities and fix them.

Leave a Reply