HRS-09: Personnel Roles and Responsibilities

Control Family:

Human Resources

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: HRS-07: Roles / Responsibilities, HRS-10: User Responsibility.

Control Statement

Document and communicate roles and responsibilities of employees, as they relate to information assets and security.

Implementation Guidance

The organization should identify and document information asset protection responsibilities and carry out specific information security processes. Responsibilities for information security risk management activities— and especially accepting residual risks—should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities.

Auditing Guidance

  1. Verify that organization charts are maintained and available as appropriate.
  2. Verify that the Role or Job Descriptions refer to the appropriate ISMS requirements.
  3. Verify, by Interviews or otherwise, that employees and stakeholders are aware of the roles or job descriptions, and that these are reviewed.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.