Roles and Responsibilities

Document ID: ISMS-ROLES-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Chief Information Security Officer

Purpose

This document defines information security roles, responsibilities, and authorities across [Organisation Name] in accordance with ISO/IEC 27001:2022 Clause 5.3. It ensures that accountability for the ISMS and its controls is clearly assigned, communicated, and understood at every level of the organisation.

1. Governance Structure

Board / Top Management
         │
         │ (sets risk appetite; approves policy; allocates resources)
         ▼
Chief Information Security Officer (CISO)
         │
         │ (owns ISMS; reports to Board; strategic security direction)
         ▼
Information Security Manager (ISM)
         │
         ├─────────────────────────────────────┐
         ▼                                     ▼
System Owners                           Internal Audit
(accountable for assets                 (independent assurance
 in their domain)                        and finding verification)
         │
         ▼
All Staff and Contractors
(comply with policies; report incidents)

HR Department
(supports joiners/leavers process; maintains training records)

2. Role Definitions

2.1 CISO — Chief Information Security Officer

Reports to: CEO / Board of Directors Delegated authority: Can suspend system access without prior approval in response to a security incident; can approve or reject security exceptions; sets risk appetite in consultation with the Board; can engage external legal counsel for breach response.

Key Responsibilities:

1. Own and sponsor the ISMS; ensure it is implemented, operated, and continually improved in accordance with ISO/IEC 27001:2022.
2. Define and maintain the organisation’s information security strategy aligned with business objectives.
3. Report ISMS performance, significant incidents, and risk status to Top Management and the Board at least quarterly.
4. Approve the Information Security Policy and all major security policies before issue or re-issue.
5. Set the information security risk appetite in consultation with the Board and ensure the risk register reflects current tolerance.
6. Act as primary point of contact for external certification bodies, regulators, and insurers on information security matters.
7. Own and manage the information security budget; make resource allocation decisions for the ISMS programme.
8. Ensure supplier security requirements are upheld at the executive relationship level for strategic suppliers.
9. Escalate material risks or incidents to the Board within defined timeframes; recommend remediation actions.
10. Sponsor the security awareness and culture programme; demonstrate visible commitment from leadership.

2.2 ISM — Information Security Manager

Reports to: CISO Delegated authority: Can initiate access revocation for any user pending CISO review; can place a system into change freeze pending security assessment.

Key Responsibilities:

1. Manage the day-to-day operation of the ISMS, including maintaining all ISMS documentation, records, and registers.
2. Maintain the risk register: schedule and facilitate annual risk assessments; update risks following incidents or changes; produce risk summary reports for the CISO.
3. Author, review, and maintain all information security policies, procedures, and standards in line with the document control process.
4. Plan and deliver the annual security awareness training programme; track completion and escalate non-completion to HR and line managers.
5. Conduct or coordinate security assessments of new suppliers; maintain the supplier register; schedule annual Tier 1 supplier reviews.
6. Coordinate and support internal ISMS audits; provide requested evidence to auditors; manage the nonconformity register and corrective actions.
7. Define, collect, and report ISMS KPIs (patch compliance, training completion, access review completion, MTTD, MTTR) to the CISO monthly.
8. Act as the first-responder coordinator for security incidents; escalate to CISO per the Incident Response Policy; maintain the incident register.
9. Review security requirements for new projects, systems, and infrastructure changes; provide security sign-off before go-live.
10. Maintain ISO 27001:2022 certification: coordinate with the certification body; manage surveillance audit preparation and evidence collection.

2.3 System Owners

Definition: A System Owner is a named individual with management accountability for a specific information system, application, service, or dataset within the ISMS scope. Every asset in the Asset Inventory must have a named owner. Ownership does not require technical expertise but does require management authority over the system.

Key Responsibilities:

1. Ensure all assets under their ownership are registered in the Asset Inventory with accurate classification, location, and criticality data; review annually.
2. Approve or reject access requests for their system; ensure access is granted only to individuals with a documented business need and line manager approval.
3. Ensure systems under their ownership are maintained, patched, and configured in accordance with security baselines and the patch management SLA.
4. Participate in risk assessments for their system; provide context on business criticality and dependencies.
5. Report security incidents or anomalies affecting their system immediately to the ISM; do not attempt to resolve security incidents independently.
6. Ensure acceptable use of their system by authorised users; report policy violations to the ISM.
7. Maintain system documentation (data flows, architecture diagrams, dependencies) in a current and accurate state.
8. Participate in business continuity and disaster recovery plan testing relevant to their system; validate recovery procedures annually.

2.4 All Staff and Contractors

Applies to: All full-time employees, part-time employees, contractors, consultants, and secondees with access to organisational systems or information.

Key Responsibilities:

1. Read, understand, and comply with all information security policies applicable to their role; acknowledge policy receipt annually.
2. Complete all mandatory security awareness training within the required timeframe (induction training within first week; annual refresher by deadline).
3. Report any actual or suspected security incidents, policy violations, or suspicious activity immediately to the ISM via the security reporting channel — do not delay or attempt to resolve independently.
4. Protect all authentication credentials (passwords, tokens, certificates); never share credentials; never write passwords down in unsecured locations.
5. Follow the clear desk and clear screen policy; lock workstation when leaving the desk; secure physical documents when not in use.
6. Report suspicious emails (phishing, BEC attempts) to the IT/security team using the report phishing button or designated email address.
7. Not install unauthorised software on organisational devices; not connect personal USB drives or storage media to organisational equipment.
8. Return all organisational assets, credentials, and access cards on or before the last day of employment or contract.

2.5 HR Department

Key Responsibilities:

1. Ensure background screening (identity verification, criminal record check where legally permissible, reference checks) is completed before a new employee commences in a role with access to sensitive data or systems.
2. Ensure all employment contracts and contractor agreements include security obligations: confidentiality, acceptable use, incident reporting, and return of assets clauses.
3. Coordinate security induction for new starters: ensure ISM is notified at least 5 business days before a new starter’s first day; include security policy acknowledgement in onboarding pack.
4. Notify the IT Manager and ISM within 1 hour of a termination decision (voluntary or involuntary) to trigger access revocation; provide expected last working day.
5. Maintain records of security training completion for all employees; provide monthly training completion report to ISM; chase non-completions via line managers.
6. Support the CISO and ISM in any disciplinary process related to information security policy violations; provide HR procedure guidance and documentation.

2.6 Internal Audit

Independence: The internal audit function operates independently from operational management. The lead internal auditor has a direct reporting line to the CISO (or where the CISO is the auditee, to the Board).

Key Responsibilities:

1. Conduct ISMS internal audits in accordance with the approved audit programme (ISMS-AUD-001) and the requirements of ISO/IEC 27001:2022 Clause 9.2; produce written audit reports for each audit.
2. Report findings objectively and factually, supported by evidence; avoid subjective language; distinguish between nonconformities, observations, and opportunities for improvement.
3. Verify that corrective actions raised from previous audit findings have been implemented effectively; mark findings as closed only when evidence of effective closure is confirmed.
4. Maintain audit independence: do not audit processes or systems for which the auditor has operational responsibility; declare any conflicts of interest to the CISO before accepting an audit assignment.
5. Escalate any critical findings (Major Nonconformities with material risk implications) to the CISO immediately upon discovery; do not wait for the formal audit report.
6. Provide a summary of audit results, open findings, and corrective action status as a standing agenda item at each Management Review.

2.7 Top Management / Board of Directors

Key Responsibilities:

1. Approve the Information Security Policy and any material updates before issue; demonstrate active engagement with information security at the executive level.
2. Set the information security risk appetite with input from the CISO; review and confirm or adjust the risk appetite annually at the Management Review.
3. Allocate adequate resources (budget, personnel, tooling) for the ISMS programme; approve the annual information security budget.
4. Review ISMS performance at the Management Review (at least annually); engage with KPI data, incident summaries, and risk status with appropriate scrutiny.
5. Ensure information security objectives are established and align with the organisation’s strategic direction; hold the CISO accountable for objective delivery.
6. Demonstrate visible leadership commitment to information security: communicate the importance of information security to staff; participate in awareness initiatives.

3. RACI Matrix

Codes: R = Responsible (does the work) | A = Accountable (ultimately answerable) | C = Consulted (input required) | I = Informed (kept in the loop)

4. Review History