webinar-cyber-security-dqs-it system technicians in a control room look at screens with data

Organisational Controls: Crafting Policies and Defining Responsibilities in A.5.1 - A.5.4

Brad Fabiny

DQS Product Manager - Cyber Security and ISO 27001, ISO 9001 auditor
June 07 , 2024
# Information security in an organization
# Information Security and Data Protection
# Information Security and Risk Management

The controls listed in Annex A of ISO 27001 have been updated in the new 2022 version of the standard to reflect the emergence of cloud technologies and new threats to emerge since the previous version was published back in 2013.

They essentially tell you what you should do to minimise (or eliminate) the risks associated with your information security management system (ISMS). One strengths of certification to ISO 27001 is the power of the controls listed in Annex A.

They have been split up into 4 different categories

  • Organisational controls
  • People controls
  • Physical controls
  • Technological controls

Here, we start with some of the Organisational controls. 

A.5.1 Policies for information security

As with most ISO standards, getting management commitment and setting a managerial direction is key to a successful implementation of your ISMS. 

Basically, meeting this clause is easy, the work was already completed for clauses 5.1 and 5.2. As such, it has been covered in the previous blog:  Clause 5: A focus on leadership, commitment, responsibility and information security policy.

The main takeaways on creating, establishing and implementation of a policy were:

  • The policy must be communicated, understood and applied.
  • Management needs to show commitment to the policy.
  • Commitment needs to be shown at all levels of the organisation.
  • The policy does not need to be complicated

One way to do this is to make your manual link through to the information security policy.

The second part of A.5.1 is that the policies need to be reviewed at planned intervals or if significant changes occur.

The best way to achieve this is creating an event or meeting to review the information security policy annually to check for the suitability, adequacy, and effectiveness of the policy.
 

 

A.5.2 Information security roles and responsibilities

This clause starts with responsibilities.  As with any management system, being clear about everyone’s roles, responsibilities and authorities is  key for having a successful system.  

A logical beginning is with an organisational chart to display the relationships between everyone in the company. This should be communicated to staff so everyone is clear on reporting lines if there are any issues. Once the structure and lines of reporting are defined, make sure that each employee has a thorough understanding of their job role. 

Details of each job role needed to be provided both in writing and verbally. Providing only a written outline of a job role, and your employee has no opportunity to clarify, no chance to ask questions, no place to raise concerns.  Just having a discussion about their job role is no good either – you will both probably forget 80% of what is discussed. 

An area that doesn’t get emphasised enough is the importance of employees being aware of other colleagues’ job roles. Understanding the responsibilities of other team members helps every individual understand the impact of their own and everyone else’s input. It helps employees see the bigger picture and to appreciate how they are working together to achieve the desired outcomes. 
 

A.5.3 Segregation of Duties

Next clause, and similar to being clear with responsibilities, is segregation of duties. The standard spells it out that segregation helps “reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets”. So, make sure that your system has the duties segregated effectively by having different people and roles reviewing and performing any checking of each other’s works before they can be pushed into the live environment, or before and critical transactions are performed.

A.5.4 Management responsibilities

This control is aimed at ensuring that management are aware of their responsibilities for ensuring that employees follow the information security policies and procedures. This is best done by embedding information security into your existing processes.

Initially, we recommend to start with a strong induction programme. Update your induction system to include information security. Depending on your system you should cover all your policies, management of assets, access to systems, access to buildings, password strength, malware, backups, software controls, networks, purchasing, incidents and business continuity.

Next, implement an on-going training and education programme for all your staff. Cover those items listed above as an ongoing process. One-off training and education sessions don't usually suffice. Staff will forget if they are not reminded with periodic follow up training. 

Another way to help with this is to have monthly review meeting with all staff. During those sessions incorporate some education and training on information security. This education can then be recorded as professional development for each employee.
 

Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Any Questions?

We are here for you.
Contact Us