5.3 Roles, responsibilities and authorities

Clause 5.3 of ISO 28000:2022 requires an organization to define, document and communicate the specific roles, responsibilities and authorities needed for its security management system, ensuring that each function knows its duties and has the authority to act. Top management must ensure these assignments are understood across the organization and that any changes are promptly updated and disseminated.