GV.RR-02.038

Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?

Explanation

This question assesses whether your organization has clearly defined who owns cybersecurity risk management activities and how information flows between stakeholders. Without clear ownership and communication channels, critical security tasks may fall through the cracks, leading to unaddressed vulnerabilities and confusion during security incidents. Acceptable evidence would include a RACI matrix or similar documentation that identifies specific individuals or roles responsible for cybersecurity activities, approval authorities (accountable parties), subject matter experts to be consulted, and stakeholders who need to be kept informed. This might be part of a broader Information Security Management System (ISMS) document, security policies, or risk management framework.

Implementation Example

Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed

ID: GV.RR-02.038

Context

Function
GV: GOVERN
Category
GV.RR: Roles, Responsibilities, and Authorities
Sub-Category
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron