When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to clarify responsibility and accountability across ISMS activities.
Legend:
| Letter | Meaning |
|---|---|
| R | Responsible — performs the work |
| A | Accountable — ultimately answerable |
| C | Consulted — provides input |
| I | Informed — kept aware |
Key rule: each important activity should have one clear accountable owner.
| Activity | Top Management | CISO / Security Lead | Business Owner | IT Operations | HR | Procurement | Employee / User |
|---|---|---|---|---|---|---|---|
| Approve information security policy | A | R | C | C | C | C | I |
| Maintain ISMS | I | A/R | C | C | C | C | I |
| Own business information risk | A/C | C | A/R | C | C | C | I |
| Approve user access | I | C | A/R | R | C | I | I |
| Implement user access | I | C | C | A/R | C | I | I |
| Remove leaver access | I | C | C | R | A/R | I | I |
| Report security incidents | I | A/R | C | R | C | C | R |
| Manage supplier security requirements | I | C | C | C | C | A/R | I |
| Perform security awareness | I | A/R | C | C | R/C | I | R |
| Accept residual risk | A/C | C | A/R | C | C | C | I |
- Template
- Raci
- Roles
- A5 2
Note Metadata
Aliases: RACI Matrix
Source: 90 Templates/RACI Matrix.md
Related Notes
- Roles and Responsibilities
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.8 - Information Security in Project Management
- A.5.2 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- ISMS Implementation Roadmap
- EXAM-005 - Responsibility vs Accountability
- Incident Roles and Communications Matrix
- Project Security Requirements Register
- Templates MOC