When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this for roles with significant information security responsibilities, such as system owner, asset owner, administrator, incident manager, vendor owner, or risk owner.
Role Title:Department / Function:Role Holder:Manager:Effective Date:Version:
1. Purpose of RoleDescribe the role's purpose in relation to information security.
2. Information Security ResponsibilitiesThe role is responsible for:- [Responsibility 1]- [Responsibility 2]- [Responsibility 3]
3. Information Security AccountabilitiesThe role is accountable for:- [Outcome 1]- [Outcome 2]
4. AuthorityThe role is authorized to:- Approve [type of decision]- Escalate [type of issue]- Access [systems/information]- Accept or recommend [risk/exception], where applicable
5. Required Policies and ProceduresThe role must comply with:- Information Security Policy- Access Control Policy- Incident Management Procedure- [Other relevant documents]
6. Required TrainingThe role must complete:- General security awareness- Role-specific training- Privileged access training, if applicable- Incident response training, if applicable
7. DelegationResponsibilities may be delegated only when:- the delegate is competent;- authority is clear;- records are maintained;- the role holder verifies completion.Accountability remains with the role holder unless formally reassigned.
8. ReviewThis role definition shall be reviewed:- at planned intervals;- when the role changes;- after significant changes to systems, processes, risks, or policies.
Acknowledgement:Role Holder Name:Signature / Approval:Date:
Manager Name:Signature / Approval:Date:- Template
- Roles
- A5 2
Note Metadata
Aliases: Information Security Role Definition
Source: 90 Templates/Information Security Role Definition.md