ISMS High-Level RACI Chart (ISMS-SUP-002)
RACI Definitions:
- R = Responsible: The person(s) who does the work to achieve the task.
- A = Accountable: The person ultimately answerable for the correct and thorough completion of the deliverable or task (the “owner”). There is only one ‘A’ per task.
- C = Consulted: The person(s) who provides input, feedback, and expertise (two-way communication).
- I = Informed: The person(s) kept up-to-date on progress or completion (one-way communication).
Consolidated Roles for a ~50-Person Company:
- Leadership: CEO / Executive Team
- CISO: Chief Information Security Officer (also assumes Privacy Officer & AI Ethics Officer roles)
- Eng. Lead: Head of Engineering / CTO
- IT/DevOps: IT & DevOps Lead / Team
- Legal: Legal & Compliance Officer
- HR: Human Resources Manager
- Workforce: All Workforce Members
| Deliverable / Task | Leadership | CISO | Eng. Lead | IT/DevOps | Legal | HR | Workforce |
|---|---|---|---|---|---|---|---|
| ISMS Governance & Policy Management | A | R | C | I | C | C | I |
| Annual Risk Assessment | C | A | R | R | C | C | I |
| Vulnerability Management Program | I | A | R | R | |||
| Vendor & Third-Party Risk Management | I | A | C | R | C | C | |
| Access Control & Review (Quarterly) | I | A | R | R | |||
| Secure Development & Change Mgt. | I | C | A | R | R | ||
| Incident Response & Post-Mortem | I | A | R | R | C | C | R |
| BCDR Planning & Annual Testing | A | R | R | R | C | C | I |
| HR Security Lifecycle (On/Offboarding) | I | C | I | R | A | R | |
| Security Awareness Training | I | A | I | I | R | R | |
| Internal & External Audits | A | R | C | C | C | C | I |
| AI Tool Assessment & Approval | C | A | R | C | C | R | |
| Encryption & Key Management | I | C | A | R | |||
| Legal Hold & eDiscovery | C | C | C | R | A |