Person in charge's role or responsibility in ISMS? ISO 27001

T

tempe

#1
I've read many articles and books about ISMS implementation. But, there are certain points that I still not clearly understand.

As there are many processes and tasks involved in ISMS implementation, until know I quite unclear about who is really in charge for each process or task. Almost all the information that I have to this point mentioned that organization's IT security committee is responsible for ISMS implementation. However, I need to know who is in the committee and their roles for each process and task in ISMS implementation step-by-step.

It will be grateful if there are any info on persons who are in charge in ISMS, their roles or responsibilities for ISMS in detail. Any general examples also can be a good help.

Thank you.
 
Elsmar Forum Sponsor

Colin

Quite Involved in Discussions
#3
I am fairly new to ISO 27001 implementation but I am involved in a couple of projects at the moment. In my experience to date, I have found that you need to involve a number of key people. Despite what is said about it not being an IT based standard, there is a lot going on around the IT infrastructure so you will definitely need to involve the person responsible for that.

It also includes physical access so whoever looks after door entry/access etc needs to be involved. One of the early tasks is to identify your information assets - this could include hardware, software, mobile phones, laptops, etc so once again, get the people responsible involved.

It goes without saying that top management need to be on board and ultimately, everyone in the organisation needs to understand their roles.
 

Richard Regalado

Trusted Information Resource
#4
Hi Tempe.

The same persons who are responsible for the process would still be responsible for the same process when you implement an ISMS. If an engineer is responsible for the design drawings, that same engineer would still be responsible for the drawings under an ISMS. Why? Because the design engineer knows and understands the risks to the design drawings. Protection against lost, damage due to normal wear and tear, confidential leaks, inaccurate information are just some of the threats that need to be managed.

There could also be additional responsibilities. Following the same example, the management decides to digitalize or digitize the design drawings to ensure high-availability. The drawings which are used to be kept only in locked cupboards are now also being saved in the organization's servers. Who is responsible now? Clearly NOT ONLY the design engineer but maybe a backup administrator or the system administrator.

In my engagements I suggest to implementing organizations to nominate an ISMR to be the overall responsible for the implementation, maintenance and improvement of an ISMS. The ISMR woud ensure that RAs are done on time, RTs are being implemented to mitigate the risks, etc etc etc.

Do note that it is not always IT. After all, not all information which needs to be protected are stored in digital format.
 
Thread starter Similar threads Forum Replies Date
J Management Representative and PRRC (Person Responsible for Regulatory Compliance) ISO 13485:2016 - Medical Device Quality Management Systems 4
P MDR PRRC (person responsible for regulatory compliance) and personal liability EU Medical Device Regulations 2
M Informational Update from GOV.UK – Regulating medical devices in the event of a no-deal Brexit – UK Responsible Person Medical Device and FDA Regulations and Standards News 0
dgrainger MHRA - Creation of new UK Responsible Person section with added content. Medical Device and FDA Regulations and Standards News 0
M Informational EU – MDCG 2019-7 Guidance on Article 15 of the Medical Device Regulation (MDR) and in vitro Diagnostic Device Regulation (IVDR) regarding a “person re Medical Device and FDA Regulations and Standards News 6
J Deciding between Professional Use or Lay Person IVD Test - Human fecal stool specimens Other Medical Device and Orthopedic Related Topics 1
C Person Responsible for Regulatory Compliance - The RA guy/girl Employment Act EU Medical Device Regulations 4
T Head of DOA / External Person EASA and JAA Aviation Standards and Requirements 0
Jane's You may or may not have the same person managing Operations and QA ISO 13485:2016 - Medical Device Quality Management Systems 18
Ronen E New Service Offer - MDR's Person Responsible for Regulatory Compliance Paid Consulting, Training and Services 6
J QMS and ISO 9001 for a Single Person Machine Shop ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
J Change of contact person Other US Medical Device Regulations 3
T Document Review And Sign Off Second Person Review - FDA Requirements ISO 13485:2016 - Medical Device Quality Management Systems 5
somashekar Internal Audit without a person as auditee Internal Auditing 6
G ISO 13485 Certification for one-person startup ISO 13485:2016 - Medical Device Quality Management Systems 7
E Consultant Person who implemented ALSO the Registrar Auditor? Consultants and Consulting 17
E Can corrective actions be written by and resolved by the same person? Nonconformance and Corrective Action 5
E QP (Qualified Person) for Combined Pharma-Medical Devices Quality Manager and Management Related Issues 1
J Testing data for Special 510k and contact person Other US Medical Device Regulations 4
R Document Control Person - Setting KPIs, Development Plan, and Career Path Quality Manager and Management Related Issues 6
M Corrective Action not being done by the responsible person Misc. Quality Assurance and Business Systems Related Topics 5
F What are the requirements for authorized person to release FAA repair shop product AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
V Annual Performance Appraisal - Person vs. Function/Business Career and Occupation Discussions 5
Y Can we obtain ISO 9001 if there is only 1 person that understands the requirements? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
J Small Company with an established Secretary/Admin person with "Personal" procedures Quality Manager and Management Related Issues 8
K Equivalent role of QP (Qualified Person) in FDA Regulations Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 8
J Aerospace Parts not Evaluated Properly by Trained Person AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
C What to expect in a GE Aerospace Audit of a 100 Person Machine Shop Customer and Company Specific Requirements 5
R Role of Qualified Person (QP) in Contract Manufacturing Pharma Business Quality Manager and Management Related Issues 2
J Reputation of a contact person with FDA while corresponding for 510k ISO 13485:2016 - Medical Device Quality Management Systems 6
J Can a consultant outside of the USA be a contact person on 510k? Other US Medical Device Regulations 13
T Does person responsible for standard have to be the Managment Representative? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
P Can a 2 Person Microbiology Laboratory get ISO 17025 Accreditation ISO 17025 related Discussions 10
A What do you call the person who is assigned a Corrective Action Request? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
J One Person Business and ISO 9001:2008 Quality Manager and Management Related Issues 8
G Sending person(s) to Mars, and not bring them back. Coffee Break and Water Cooler Discussions 4
L Management Representative - 2 Person Device Company 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 16
Y What is the first step in implementing AS 9100 for a 4 person shop? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
O Understanding PPAP - Could some clever person give me some guidance? APQP and PPAP 5
Anerol C Where should I start as the person responsible for the calibration laboratory? General Measurement Device and Calibration Topics 7
RoxaneB My train ride with the world's most interesting person... Coffee Break and Water Cooler Discussions 29
B Most records are not signed by the person who used it ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
B Small company where the Quality Manager and HR manager is the same person ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
Ajit Basrur Should the Protocol and Report be signed by the same person(s)? Qualification and Validation (including 21 CFR Part 11) 7
D Who should be the person to release product to customer ISO 13485:2016 - Medical Device Quality Management Systems 34
J Initial Supplier Audits In Person or Not? Federal Aviation Administration (FAA) Standards and Requirements 4
J Re-approving documents when the responsible person leaves or changes responsibilities ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
S FDA approval (Med Device) - Should we use Accredited Person or proceed on Our Own? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
B Document Approval when the responsible person leaves the company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
J Is every person a service provider??? Philosophy, Gurus, Innovation and Evolution 2
Similar threads


















































Top Bottom