GOV-002 Information Security Roles and Responsibilities
Description
Information security roles and responsibilities are defined, documented, and allocated to named individuals or functions. This includes a named owner for the information security program, ownership assignments for information assets, and documented accountability for key security decisions.
Rationale
Without defined ownership and accountability, security controls are unenforceable and audits cannot confirm that obligations are being met.
Framework Mappings (6)
| GRC-06 | Governance Responsibility Model | full |
| 5.2 | Information security roles and responsibilities | full |
| PM-2 | Information Security Program Leadership Role | full |
| PM-29 | Risk Management Program Leadership Roles | partial |
| GOVERN 2.1 | AI Risk Roles and Responsibilities | partial |
| CC1.3 | COSO Principle 3: Establishes Structure, Authority, and Responsibility | partial |
Evidence (2)
Documented information security roles and responsibilities matrix or RACI, assigning ownership to named individuals or job functions.
Example: Security Roles and Responsibilities document or RACI matrix (Confluence/Google Drive), listing the named CISO or security program owner, asset owners, and accountability for key security decisions.
Test: Request the roles and responsibilities document. Verify: (1) a named individual or titled role is designated as security program owner, (2) asset ownership is assigned for at least the critical information assets in the asset inventory, (3) the document has an approval date and named approver.
Organizational chart or HR system record confirming the named security role owner is a current employee or contractor with that title.
Example: Org chart (BambooHR / Workday export) or LinkedIn profile cross-referenced against the roles document, confirming the named CISO or security lead is an active employee.
Test: Cross-reference the named security program owner in the roles document against the HR system or org chart. Verify: (1) the individual is currently employed in the stated role, (2) no gap exists between the current date and the last confirmed appointment date.
Questions (2)
Are information security roles and responsibilities formally documented and assigned to named individuals or functions?
Look for a roles-and-responsibilities document or RACI that names a security program owner and assigns asset ownership for critical information assets.
Which of the following security ownership roles are formally defined and filled in your organization?
At a minimum, a named security program owner and asset owners for critical systems should be documented and verifiable against the org chart.