Clarifying Roles and Responsibilities

The Roles and Responsibility Policy defines the critical roles and responsibilities relating to your Quality Management System and/or Information Security Management System.

It is important that roles and responsibilities are clearly defined and allocated. For example, for Information Security, it should be clear who is responsible for:

• protection of individual assets – within an asset inventory
• information security risk management activities and in particular for acceptance of residual risks
• incident management 
• change control
• the maintenance of each company policy
• the implementation of controls designed to mitigate information security risks as outlined in the company policies
• the execution of information security tasks that are required to fulfil control objectives
• the information security risks associated with suppliers
• external information security communications, such as those with authorities or special interest groups e.g. The National Cyber Security Centre (NCSC) or Information Commissioner’s Office (ICO)
• threat intelligence - analysis and communication

For Quality Management, it should be clear who is responsible for:

• Maintaining the integrity of the QMS 
• Reporting of QMS performance
• Promoting customer focus
• Quality assurance
• Quality improvement

•  Documenting the Information Security Management System
•  Carrying out an information security risk assessment
•  Staff information security awareness training
•  IT operational change
•  Defining and controlling staff access rights
•  Asset management
•  Supplier management
•  Internal audit scheduling
•  Monitoring the risk register / action log
•  Background screening
•  Overseeing changes to the ISMS
•  Threat Intelligence

Example roles and responsibilities that might be defined for quality management systems in the policy include:

• Maintain QMS Business Process Documentation
• Review quality assurance
• Client service management