The responsibility for handling Annex A controls will differ from one company to another because security activities should be performed by those persons who know the process or technology the best and who have enough authority to make necessary changes.

This is where the roles and responsibilities will be defined:
- The responsibility for the initial implementation of security controls needs to be specified in the Risk Treatment Plan
- Once security policies and procedures are written, then those documents specify who needs to perform which security activities.

Examples:
- A company has given the responsibility to implement control A.8.13 Information backup to the system administrator because she has the best knowledge of the backup system and has the authority to implement any necessary changes.
- A company has given the responsibility to implement the Classification Policy to the Office Manager because he has the best knowledge of business processes within the company, and which documents need to be classified.