ISO/IEC 27001 Control 5.2: Information security roles and responsibilities


Information security roles and responsibilities should be defined and allocated according to the organization needs.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint provides essential management capabilities of roles and responsibilities by using its advanced role-based access control (RBAC) mechanisms.

Implementation Details

Roles can be defined in midPoint, including all necessary privileges, role hierarchies, policies and descriptive data, especially for security personnel (e.g. security manager). Role governance can be managed in midPoint, recording business owners, custodians and approvers responsible for day-to-day operation. Such governance approach can be applied to roles, application catalog and other aspects of midPoint, getting governance closer to assets. Organizational structure can be used to assign collective responsibilities, e.g. common responsibilities and privileges of security teams. Escalation capability can be used to maintain accountability of upper management, making sure that the delegated responsibilities are conducted in a timely manner. Simulation capability can be used to predict effects of role model changes.


MidPoint is necessary for consistent application of security roles and responsibilities. Security personnel often have elevated privileges. MidPoint can make sure the privileges are properly recorded, that they are automatically revoked when needed, that the privileges are regularly re-certified. While, in theory, this can be done manually, it is not practical and there may be issues in consistent management of privileges and their timely revocation.

Was this page helpful?
Thanks for your feedback