If you read between the lines of this clause, it really is about showing clarity of your information security management system (ISMS) and then communicating this to your employees.
Let’s start with clarity. You need to show clarity in the roles that people have. You need to be clear in what authority and responsibility that people’s roles have.
And secondly you communicate the roles, authorities and responsibilities so that everyone is aware of each other’s tasks and activities.
If those roles are clear, then your ISMS will just fall into place. It is for this reason that, in my opinion, clause 5.3 is one of the easier clauses to achieve.
However, get it wrong, and your whole system will lack direction and ultimately fail to deliver.
For an organisation to meet the desired outcomes of the ISMS, top management needs to lead this clause. This requires establishing and communicating the following to all team members:
Here at Mango, our structure is simple. We use an organisational chart to display the relationships between everyone in the company. This was communicated to staff so everyone was clear on reporting lines if they had any issues. Once the structure and lines of reporting were defined, we made sure that each employee has a thorough understanding of their job role.
Details of each job role needed to be provided both in writing and verbally. Just choosing one delivery method doesn’t cut it – provide only a written outline of a job role, and your employee has no opportunity to clarify, no chance to ask questions, no place to raise concerns. Just having a chat about their job role is no good either – both of you will probably forget 80% of what is discussed.
So at Mango we sat down with the staff members and discussed their unique job description. We talked them all through each responsibility and process, and defined appropriate goals that align with our system. We invited questions and provide clarification where required. Take your time over this, because it’s really important.
In addition, at Mango we also give each employee their own login to our software. This gives them access to all necessary ISMS information they need. Once this step is performed we then go on to provide them with the necessary training. This process enables employees to perform their duties in line with the requirements of our ISMS.
An area that doesn’t get stressed enough is the importance of employees being aware of other colleagues’ job roles. Understanding the responsibilities of other team members helps every individual understand the impact of their own and everyone else’s input. It helps employees see the bigger picture and to appreciate how they are working together to achieve the desired outcomes.
One highly effective way of achieving this is documenting a ‘Roles and Responsibilities Procedure’. This is a list all of the positions in the organisation and the roles and responsibilities under each position. Again, employees need to be provided with verbal and written communication of this.
Now it’s time to discuss the most important part of the clause – the promotion of protection of information security. Unfortunately too many organisations get too caught up focusing on their daily activities, and forget about protecting information. Information protection needs to be at the forefront of everything an organisation does. Here at Mango, every single team member is responsible for information security.
Here is a list of takeaways that will help you achieve this clause:
View previous blogs in this series "ISO 27001 Information Security Management Standard":
ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values
ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013