Structures, Roles, and Responsibilities

Assigning Accountability with RACI

The most common governance defect CISM tests is the unowned control — a safeguard nobody is accountable for, which decays silently. The remedy is a RACI matrix (Responsible, Accountable, Consulted, Informed). The hard rule the exam enforces: each activity has exactly one Accountable party. Multiple "Accountable" assignments mean no one is truly accountable.

Owner Versus Custodian

CISM is precise about two roles candidates routinely confuse:

• Data/information owner — typically a business executive who is accountable for the asset: decides its classification, approves who gets access, and accepts the risk. Ownership is a business role, not an IT role.
• Data custodian — typically IT/operations, responsible for implementing and operating the protections (backups, encryption, access provisioning) the owner specifies.

A stem asking "who decides the classification of customer records?" points to the business data owner, not the database administrator (a custodian). Conversely, "who configures the encryption?" points to the custodian. The owner sets direction; the custodian executes — the governance/management split appearing again at the data level.

CISO Reporting Line and Independence

Where the CISO reports is a governance signal, not an org-chart detail. Reporting into the Chief Information Officer (CIO) creates a conflict of interest: the CIO is incentivized toward delivery and uptime, which can suppress security concerns. CISM prefers reporting lines that preserve independence — to the CEO, a chief risk officer, or with a dotted line to the audit committee of the board. The principle being tested is segregation of duties: the party that builds and runs systems should not be the sole party assuring their security.

The Security Steering Committee

A security steering committee is the cross-functional body — business unit leaders, IT, legal, risk, and the CISO — that aligns security investment with business priorities and arbitrates competing demands. Its existence is the structural mechanism that turns the board's governance direction into prioritized, funded action and gives the security strategy legitimacy across the enterprise. On the exam, when a program lacks business buy-in or funding, the structural fix is often "establish (or activate) the steering committee," not "the CISO should decide alone."

Use this quick mapping when a stem asks "who should...":

• Approve security strategy and budget envelope: board / executive management.
• Set classification and approve access for an asset: data owner.
• Implement and operate the safeguard: data custodian.
• Prioritize security initiatives across business units: steering committee.
• Run the program day to day and report assurance: CISO.

Getting these role boundaries right is worth disproportionate points because Domain 1 questions repeatedly hinge on "who is accountable" versus "who is responsible."

Segregation of Duties and Conflicts to Watch

Segregation of duties (SoD) ensures no single individual can both perform and conceal an improper action. CISM tests it as a structural control, not a technical one. The classic conflicts a manager must design out:

• The person who develops code should not be the sole person who deploys it to production.
• The person who requests access should not be the same person who approves and grants it.
• The team that operates controls should not be the only team that assures their effectiveness — hence an independent audit or risk function.

Where headcount is too small to separate duties (common in smaller enterprises), the governed answer is compensating controls: management review, logging and independent log review, and mandatory vacation or job rotation. The wrong answer is "accept it because we are small" without compensating controls and management sign-off.

Mapping a Scenario to the Right Body

Questions often describe a dysfunction and ask for the structural fix. Use this lookup:

The Three Lines Model

Many boards organize accountability using the three lines model: the first line (operational management) owns and manages risk; the second line (risk and compliance functions, often including the security policy function) sets standards and monitors; the third line (internal audit) provides independent assurance to the board. The CISO and security operations generally sit in the first and second lines, while audit stays in the third to preserve independence.

A question that asks who provides independent assurance points to internal audit (third line), whereas who manages day-to-day risk points to operational management (first line). Recognizing these lines keeps you from assigning assurance to the same group that runs the controls, which is the SoD violation CISM most wants you to catch.