hello I'm Stuart bker the iso 2701 ninja and in this tutorial video we're going to take a look at ISO 2701 anexa 5.2 information security roles and responsibilities so this is a really easy one for us to implement a really easy one for us to go through stick with me till the end and I'll show you how you can get hands on a template that's already got this populated for you so what is the standard looking at here the standard is looking at you you to define the information security roles that you have so to Define them by defin it means document them and then assign them to people nice and easy right so what are the kind of things that we're going to be looking at well we're going to be looking at roles that relate to the implementation of the information security management system the operation of the information security management system and the oversight of the information security management system and then depending on your size and complexity there may be some additional roles that you have when it comes to this particular anexa control one of the questions that we get asked is oh but we're a super small business right we could be two people five people 10 people a do we need all of the roles and can one person hold more than one role so the answer is yes there are some very specific roles that you do need and yes one person can hold more than one role so it's not a direct mapping what we do need to be wary of is the anexa control related to segregation of Duty so we just need to make sure that when we allocate our roles that there isn't any conflict which nine times out of 10 there isn't going to be and we are going to be absolutely golden so what kind of roles is it that we're going to need we're going to need an oversight body right so one of the roles that I put in one of the uh groups that I put in is the information security management review team the management review team is the team te that sits above the information security management system and it has some very specific requirements and it conducts a very specific role and that itself actually is documented in one of the later controls and in one of the iso 27,1 Clauses that's about oversight approval signing off of policies and procedures about continual Improvement reviewing the risk register very specific agenda and we'll come to that on another clause tutorial so we have the management review team then we've got the information security manager this is going to be the person that's responsible for the implementation and operation then we're going to have things like a business continuity manager we're going to have a supplier manager we're going to have a HR manager so there are a number of roles that we're going to have that have specific requirements uh and specific duties under the information security management system and the way that we're going to do that is we're going to look at the annexa controls that we've chosen so we spoke previously about defining scope understanding risk and then choosing controls based on that risk for those anexa controls we're going to identify what roles those controls need and we're going to Define them and then once we've got all of these roles defined we're going to allocate them right nice and easy so we're going to pick people in the organization so the rules on allocation make sure the person is competent to perform the role make sure that there is no conflict of Duty with the roles that you allocate to people and yes it is possible to seek external help external support third party contractors or Consultants on a number of these things right uh if that's the case they don't have to be full-time employees so we're going to get our roles defined we're going to allocate our people to our roles what are the common things that people do uh they don't document their roles that's a common mistake another common mistake that people have is allocating roles but not keeping it up to date so come the audit time people that are allocated to roles have absolutely left the organization so th those are two of the most common ones if you want to download a cop I have a uh template is would come as no surprise um a documented roles and responsibilities template individually downloadable but also part of the iso 2701 toolkit the ultimate toolkit for ISO 2701 certification so be sure to head across to the high. iso template store and you can FastTrack that right I'm also going to put a link below to the blog that gives you a lot more detail uh on this particular Annex but that is ISO 2701 anxa 5.2 information security roles and responsibilities in a nutshell until the next tutorial video peace [Music] out