Document and communicate roles and responsibilities of employees, as they relate to information assets and security.
The organization should identify and document information asset protection responsibilities and carry out specific information security processes. Responsibilities for information security risk management activities— and especially accepting residual risks—should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities.
- Verify that organization charts are maintained and available as appropriate.
- Verify that the Role or Job Descriptions refer to the appropriate ISMS requirements.
- Verify, by Interviews or otherwise, that employees and stakeholders are aware of the roles or job descriptions, and that these are reviewed.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.