To develop the control 6 Organization of information security, you must: design the organization chart, establish roles and requirements, create the matrix of responsibilities and elaborate, the procedure that controls the organization of personnel
Before starting with the development of control 6 of Annex A he draws the organization chart of the information security management system. It indicates, with extreme clarity, the roles directly related to information security. Afterwards it will be very simple to proceed in the development, in an integrated way, of the requirement 5.3 of ISO 27001 and of the control of Annex A.
How to define the information security organization chart
We strongly encourage you to consider including the following roles in the organization chart:
- High management
- RGSI (Head of the information security management system)
- IT Manager
- Information system manager
- DPO (data protection officer)
- ADS (System Administrator)
According to the structure of the company, proceed to define the position of the other roles that are involved in the information security management system such as, for example, the managers of business processes as we have reported in the following example where DPO stands for Process Manager and OP stands for Operator
How to establish and document the roles and requirements of point 5.3 of ISO 27001: 2017
To ensure the effectiveness of the information security management system, we suggest creating a table to define, in correspondence with each role identified in the organization chart, the necessary requirements that the person must possess to exercise that role.
In the following example, in correspondence with each role identified in the organization chart, the necessary \ “personal \” requirements concerning qualifications and certificates, experience, possession of certifications and references have been indicated reputational.
How to create the Information Security Responsibility Matrix
process based management system, responsibilities must be defined in relation to the processes and more particularly in reference to very specific phases of the process.
The matrix of responsibilities must absolutely indicate, in correspondence with each phase of the system process:
- The process
- The stage of the process
- The manager (role of the organization chart)
- The document (system registration) that proves the exercise of responsibility
How to define the procedure that controls the organization of personnel pursuant to control 6 of Annex A of ISO 27001: 2017
In the personnel organization procedure we must give \ “objective evidence \” that we have integrated all the corresponding controls of Annex A. The method we suggest and that we indicate in the following example provides for an initial development of the personnel organization procedure aimed at implementing point 5.3 of ISO 27001 and then moving on to its completion through paragraphs that specify how each individual control has been implemented. In the figure below, the controls of Annex A have been shown with the red font.
