A.5.2 — Information Security Roles and Responsibilities

The organisation chart lists an “IT Security Officer”, but nobody knows who actually fills the role. Responsibility for patch management sits in a grey zone between IT operations and the security team. When an incident occurs, three people assume someone else will respond. A.5.2 exists to eliminate exactly this kind of ambiguity.

Clear role definitions are the connective tissue between the policy framework (A.5.1) and day-to-day operations. Every control in Annex A ultimately relies on someone being responsible for its implementation and monitoring.

What does the standard require?

Define all information security roles. The organisation must identify every role that is relevant to information security — from the CISO to asset owners, risk owners and incident responders.
Assign roles to named individuals. Each role needs a specific person (or clearly defined team) who carries it. Roles without an assignee are roles without effect.
Separate accountability from execution. Top management remains accountable for information security overall. Operational responsibilities can be delegated, but the delegation must be documented.
Communicate roles internally. Everyone in the organisation must know who is responsible for what. External parties who interact with the ISMS (e.g. managed-service providers) also need to know their contact points.
Review and update roles regularly. Role assignments must be revisited when the organisation changes — reorganisations, departures, new business areas.

In practice

Anchor roles in the organisational structure. Information security responsibilities work best when they are embedded in job descriptions and performance objectives — they should be part of how the organisation already operates.

Appoint deputies. Every critical security role needs a named deputy. If the Information Security Officer is on leave during an incident, the response cannot wait. Document who steps in and ensure the deputy has the necessary training and access.

Align with HR processes. Role assignments should be linked to the joiner/mover/leaver process. When someone changes position or leaves, their security responsibilities must be formally handed over. A quarterly reconciliation between the RACI matrix and the HR system catches gaps early.

Make roles visible. Publish the responsibility matrix on the intranet, reference it in onboarding materials and include it in awareness training. People follow what they know exists.

Typical audit evidence

Auditors typically expect the following evidence for A.5.2:

Responsibility matrix (RACI) — mapping security roles to named individuals
Appointment letters or job descriptions — formal documentation that the person has accepted the role
Organisation chart — showing where information security roles sit in the hierarchy
Management review minutes — confirming that role coverage was reviewed
Handover records — evidence that responsibilities were transferred when people changed roles or left

KPI

% of defined information security roles with a designated responsible person assigned

This KPI tracks whether every documented security role has a named individual behind it. Target: 100%. A score below 100% indicates orphaned responsibilities — a direct risk to the ISMS.

Supplementary KPIs:

Percentage of security roles with a documented deputy arrangement
Average time to reassign a security role after the previous holder departs
Percentage of employees who can correctly identify the Information Security Officer

BSI IT-Grundschutz

A.5.2 maps to several BSI requirements for organisational structure:

ISMS.1.A4 (Appointing an Information Security Officer) — requires a dedicated person responsible for information security, reporting directly to top management.
ISMS.1.A6 (Establishing an information security management team) — calls for a coordination structure involving relevant stakeholders across departments.
ORP.1.A1 (Defining responsibilities) — mandates documented responsibilities and authority for all organisational processes.
ORP.1.A2 (Assigning responsibilities) — requires that every task and role is assigned to a specific person.

A.5.2 provides the organisational backbone for all other controls:

A.5.1 — Policies for information security: Policies define what the organisation expects; A.5.2 defines who makes it happen.
A.5.3 — Segregation of duties: Once roles are defined, A.5.3 ensures that conflicting responsibilities are separated.
A.5.4 — Management responsibilities: Extends role definitions to management-level obligations such as awareness and resource provision.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.2 — Information security roles and responsibilities
ISO/IEC 27002:2022 Section 5.2 — Implementation guidance
BSI IT-Grundschutz, ISMS.1 — Security management

Frequently asked questions

Who is accountable for information security in ISO 27001?

Top management retains overall accountability. They may delegate operational tasks -- for example to a CISO or Information Security Officer -- but the accountability itself cannot be delegated. Auditors verify this through appointment letters, organisation charts and management review minutes.

Do all information security roles need to be documented?

Yes. ISO 27001 requires that roles relevant to information security are defined and communicated. In practice this means a written role description or responsibility matrix (such as a RACI chart) that names both the role and the person filling it.

What happens when someone leaves who held a security role?

The role must be reassigned promptly. Gaps in role coverage are a common audit finding. A defined succession or deputy arrangement prevents unassigned responsibilities during transitions.

Responsible	Information Security Officer / (C)ISO
Accountable	Top Management
Consulted	Department Head, HR Manager, Head of IT, IT Security Officer, Legal Counsel, Risk Owner
Informed	All Employees, IT Administrator, Top Management