Why is clarifying roles and responsibilities important and what are the typical roles?
The Roles and Responsibility Policy defines the critical roles and responsibilities relating to your Quality Management System and/or Information Security Management System.
It is important that roles and responsibilities are clearly defined and allocated. For example, for Information Security, it should be clear who is responsible for:
- protection of individual assets – within an asset inventory
- information security risk management activities and in particular for acceptance of residual risks
- incident management
- change control
- the maintenance of each company policy
- the implementation of controls designed to mitigate information security risks as outlined in the company policies
- the execution of information security tasks that are required to fulfil control objectives
- the information security risks associated with suppliers
- external information security communications, such as those with authorities or special interest groups e.g. The National Cyber Security Centre (NCSC) or Information Commissioner’s Office (ICO)
- threat intelligence - analysis and communication
For Quality Management, it should be clear who is responsible for:
- Maintaining the integrity of the QMS
- Reporting of QMS performance
- Promoting customer focus
- Quality assurance
- Quality improvement
Example roles and responsibilities that might be defined for information security in the policy include:
- Documenting the Information Security Management System
- Carrying out an information security risk assessment
- Staff information security awareness training
- IT operational change
- Defining and controlling staff access rights
- Asset management
- Supplier management
- Internal audit scheduling
- Monitoring the risk register / action log
- Background screening
- Overseeing changes to the ISMS
- Threat Intelligence
Example roles and responsibilities that might be defined for quality management systems in the policy include:
- Maintain QMS Business Process Documentation
- Review quality assurance
- Client service management