Skip to contentCYBERINFO
|

Control 5.2 : Information Security Roles and Responsibilities

Summary

This control requires the definition and allocation of information security roles and responsibilities within the organization. By formalizing who is responsible for specific security tasks, the organization ensures accountability and prevents gaps in security management.

Applicability

In-Scope: Mandatory for establishing a clear governance structure. It is essential for organizations where multiple departments (IT, HR, Legal) must collaborate on security and where clear accountability is required for audit and regulatory compliance.

Out-of-Scope: Only potentially reducible in extremely small, flat organizations where all security functions are managed by a single individual, though even then, the responsibility for oversight must be formally assigned.

Implementation Guidance

Microsoft 365 / Entra ID

  • Role Definition: Utilize Entra ID Roles and Administrators to assign specific security permissions (e.g., Security Reader, Security Administrator) following the principle of least privilege.

  • Accountability: Implement Privileged Identity Management (PIM) to provide "just-in-time" access, ensuring that high-level responsibilities are only active when necessary and are fully logged.

  • Documentation: Use Microsoft 365 Groups or Shared Mailboxes to define functional responsibilities for security incident response or change management.

Evidence Checklist

  • Role Descriptions: Documented job descriptions or a RACI matrix defining security responsibilities across the organization.

  • Appointment Records: Evidence of formal assignment of the CISO or equivalent security leadership role.

  • Access Reviews: Periodic logs showing that assigned roles are reviewed and remain appropriate for the current staff.

Practical Audit Advice

Here are some questions the auditor might ask:

  • Can you demonstrate how security responsibilities are communicated to new hires during the onboarding process?

  • How does the organization ensure that security roles remain segregated to prevent a single person from having end-to-end control over a sensitive process?

  • If a key security stakeholder leaves the organization, what is the formal process for reassigning their specific security responsibilities?

  • Can you show the link between the high-level roles defined in your policy and the actual technical permissions assigned in Entra ID?