The RACI matrix answers a question that comes up in every ISMS audit: who is responsible for what? ISO 27001 Clause 5.3 requires that roles, responsibilities, and authorities for information security are assigned and communicated. The matrix is the tool you use to document that.
What does it contain?
The template lists typical ISMS tasks in rows and ISMS roles in columns. Each cell contains one of the four letters R, A, C, or I. The pre-populated tasks cover the entire PDCA cycle:
- Risk management — risk identification, risk assessment, risk treatment, monitoring
- Policies — drafting, approval, communication, annual review
- Operations — incident handling, change management, business continuity
- Assurance — internal audits, management review, corrective actions
- People — onboarding, training, offboarding
How to use the template
1. Adapt the roles. The column headers contain generic roles (CISO, IT Management, Executive Management, Business Unit, HR). Replace them with the actual roles or individuals in your organisation.
2. Add or remove tasks. The pre-populated tasks are a starting point. Add tasks specific to your scope (e.g. cloud security reviews, penetration tests, data protection impact assessments). Remove what does not apply.
3. Assign the letters. For each task: assign exactly one A. R can apply to multiple people. C and I as needed. Empty cells are fine — they mean the role has no defined involvement in that task.
4. Communicate. The matrix belongs in the ISMS document register and must be accessible to everyone involved. Anyone who holds a role needs to know it is documented — and what it entails.
5. Maintain. Every organisational change triggers a review. New role? Add a column. Department dissolved? Redistribute tasks. The matrix is a living document.
| Tätigkeit | Geschäftsleitung | Informationssicherheitsbeauftragte/r (ISB) | IT-Betriebsleitung | HR-Leitung | Datenschutzbeauftragte/r | Abteilungsleitungen | Alle Mitarbeitende |
|---|---|---|---|---|---|---|---|
| Informationssicherheitsrichtlinie genehmigen | A | R | C | C | C | I | I |
| Risikoregister pflegen | I | A | R | C | C | C | I |
| Risikobeurteilungen durchführen | I | A | R | C | C | R | I |
| Risikobehandlungsplan genehmigen | A | R | C | I | C | C | I |
| Statement of Applicability pflegen | I | A/R | C | I | C | I | I |
| Interne Audits durchführen | A | R | C | I | C | I | I |
| Management-Review durchführen | A/R | R | C | C | C | C | I |
| Sicherheitsvorfälle managen | I | A | R | I | C | C | R |
| Zugriffsrechte verwalten | I | A | R | C | I | R | I |
| Awareness-Schulungen durchführen | I | A | C | R | C | C | R |
| Informationen klassifizieren | I | A | C | C | C | R | R |
| Changes genehmigen (CAB) | I | C | A/R | I | I | C | I |
| Schwachstellen- und Patch-Management | I | A | R | I | I | I | I |
| Lieferanten-Sicherheitsprüfung | I | A | C | I | C | R | I |
| Geschäftskontinuitätsplanung | A | R | R | C | I | R | I |
| Betroffenenanfragen bearbeiten | I | C | C | C | A/R | I | I |
| Asset-Register pflegen | I | A | R | I | I | R | I |
| Sicherheitsvorfälle melden | I | A | C | C | C | R | R |
| Schlüsselverwaltung (Kryptographie) | I | A | R | I | I | I | I |
| Legende | R = Responsible (durchführend) | A = Accountable (rechenschaftspflichtig) | C = Consulted (konsultiert) | I = Informed (informiert) |
| Activity | Top Management | Information Security Officer (ISO) | IT Operations Lead | HR Lead | Data Protection Officer | Department Heads | All Employees |
|---|---|---|---|---|---|---|---|
| Approve Information Security Policy | A | R | C | C | C | I | I |
| Maintain Risk Register | I | A | R | C | C | C | I |
| Perform Risk Assessments | I | A | R | C | C | R | I |
| Approve Risk Treatment Plan | A | R | C | I | C | C | I |
| Maintain Statement of Applicability | I | A/R | C | I | C | I | I |
| Conduct Internal Audits | A | R | C | I | C | I | I |
| Run Management Review | A/R | R | C | C | C | C | I |
| Manage Security Incidents | I | A | R | I | C | C | R |
| Manage Access Rights | I | A | R | C | I | R | I |
| Run Awareness Training | I | A | C | R | C | C | R |
| Classify Information | I | A | C | C | C | R | R |
| Approve Changes (CAB) | I | C | A/R | I | I | C | I |
| Vulnerability & Patch Management | I | A | R | I | I | I | I |
| Supplier Security Review | I | A | C | I | C | R | I |
| Business Continuity Planning | A | R | R | C | I | R | I |
| Handle Subject Access Requests | I | C | C | C | A/R | I | I |
| Maintain Asset Register | I | A | R | I | I | R | I |
| Report Security Incidents | I | A | C | C | C | R | R |
| Key Management (Cryptography) | I | A | R | I | I | I | I |
| Legend | R = Responsible | A = Accountable | C = Consulted | I = Informed |
Sources
- ISO/IEC 27001:2022 Clause 5.3 — Organisational roles, responsibilities, and authorities
- BSI IT-Grundschutz ISMS.1 — Security management