Responsibilities and Lines of Authority

Assigning Responsibility Without Gaps or Overlap

Lines of authority define who may decide, direct, and enforce; responsibilities define who does the work. CISM tests whether you can place accountability on the right party so risks do not fall through cracks or get fought over. The exam's preferred tool is the RACI chart — Responsible (does the task), Accountable (owns the outcome, sign-off authority), Consulted (two-way input), and Informed (one-way notification). The rule that drives many questions: for any single decision there is exactly one Accountable party. Two A's signal broken governance.

Core role definitions you must keep straight

A frequent trap: the question asks who should decide who gets access to a sensitive dataset. The answer is the data owner, not the security manager and not IT. The security manager sets the access standard; the owner authorizes individual access; the custodian provisions it.

Independence and segregation of duties

Why does CISM favor the security function reporting outside the IT/operations chain it monitors? Segregation of duties (SoD) and avoiding conflicts of interest. If the CISO reports to the CIO who is measured on uptime and delivery speed, security findings can be suppressed. The exam-preferred reporting line gives security independence — commonly to a CEO, risk committee, or board — so risk reporting is not filtered by the operations it critiques.

Worked scenario

A breach review finds that nobody approved a contractor's database access; IT "assumed" the project lead had. The CISM root cause is undefined accountability for access approval, and the fix is to assign the data owner as the accountable approver and document it in a RACI — not to install another monitoring tool. Tools enforce decisions; they cannot manufacture accountability.

Common traps

• Trap: name the security manager as data owner. The manager governs and monitors but does not own business data.
• Trap: let audit fix the control. Auditors evaluate independence; if they design or run controls they cannot later audit them objectively.
• Trap: add a control to solve an authority gap. Overlapping or missing authority is solved by clarifying who is Accountable and the reporting line, then documenting it.

Read-order for authority questions: identify the asset, find its owner, separate Accountable from Responsible, and confirm oversight is independent of the operation. The option that fixes the accountability gap beats the option that buys or builds something.

Building and using a responsibility matrix

To turn role definitions into something testable, the manager documents a RACI matrix mapping every key security activity to the roles above. Walk a typical workflow — provision access to a confidential dataset — across the matrix:

• Define the access standard: security manager is Responsible; CISO is Accountable; data owner is Consulted.
• Approve a specific user's access: data owner is Accountable; security manager is Consulted; custodian is Informed.
• Provision the account: custodian is Responsible; data owner is Accountable; security is Informed.
• Review access annually (recertification): data owner is Accountable; security manager Responsible for running the review; audit is Informed.

The pattern that recurs on the exam: the owner authorizes and stays accountable, the custodian and security execute, and audit only watches. If any cell makes audit responsible for designing or running the control, independence is broken and the matrix is wrong.

Delegation does not transfer accountability

A subtle CISM point: a manager can delegate the task (Responsible) but retains accountability (Accountable). If the CISO delegates patch deployment to an operations team and a critical patch is missed, the CISO remains accountable for the program's risk outcome. On the exam, "I assigned it to the team" is never a complete defense for an accountable party.

Worked scenario: outsourced operations

The company outsources its security operations center to a managed provider. Who is accountable for information security risk? The provider is Responsible for monitoring (operation), but the organization — through its security manager and executives — remains Accountable for the risk. You can outsource the work; you cannot outsource the accountability. The fix when a question shows the business treating a vendor as the risk owner is to reassign accountability to an internal owner and define the vendor's responsibilities in the contract and a RACI.

Quick recall

For any authority question: name the owner of the asset, give exactly one Accountable party per decision, keep audit independent of what it reviews, and remember that delegation moves the task but not the accountability. The strongest answer clarifies who owns the decision and the reporting line rather than adding another tool to paper over a governance gap.