Roles & Responsibilities

Security is everyone’s responsibility –this is true, however who is ultimately responsible for security within the organization? Defining roles and responsibilities regarding information security ensures that at all levels within the organization (which should encompass internal positions, vendors, and contractors), staff are familiar with their security responsibilities, and this should also be defined in job descriptions. Roles and responsibilities can be defined based on a responsibility assignment matrix (RACI), outlining who is responsible, who is accountable, and who should be consulted or informed regarding security matters.

Note: while there may be many people responsible for security, and many people to be consulted and/or informed, only one person should be accountable.

Control Objective

At a hygiene level, roles and responsibilities should be defined and communicated. The roles and responsibilities (which could be a RACI) matrix should identify who occupies the roles.


Roles and Responsibilities Template (XLSX) 

  • Fill out the cells highlighted in yellow
  • Once complete get sign-off from executives