• (0)
    ISO-27001-ISO-22301-blog-min

    ISO 27001 & ISO 22301 Blog

    RACI matrix for ISO 27001 implementation project

    Very often, an ISO 27001 implementation project is a multi-level and multidisciplinary endeavor, where personnel involved have different roles and responsibilities as the project progresses.

    To help clarify and control personnel involvement, many projects make use of the RACI matrix, and in this article, we’ll show one example of how to apply it to an ISO 27001 implementation project.

    RACI matrix basic concepts

    RACI is a form of responsibility assignment presentation, and is named after the four most common responsibilities used: Responsible, Accountable, Consulted, and Informed.

    • Responsible: Refers to those who do the work to complete the task.
    • Accountable: Designates the person who ultimately answer for the results of an activity, and also who delegates the work to the people who will execute it.
    • Consulted: Refers to those who sought be heard on the related activity, and with whom there is two-way communication.
    • Informed: Designates those who sought to be kept up-to-date on the progress of the activity, and with whom there is just one-way communication.

    In some situations, the same role that is accountable for an activity may also be responsible for its execution.


    RACI matrix for ISO 27001 project implementation

    Considering the previous definitions, the following table presents a suggestion for a RACI matrix covering general activities related to an ISO 27001 implementation project and the roles involved. For more information about the listed activities, please read this ISO 27001 implementation checklist.

    It is important to note that the matrix was developed assuming that the project already has top management buy-in. Obtaining the management buy-in is critical to the success of the project, but in terms of the RACI matrix, this activity would only add unnecessary complexity. Obtaining management approval is only done once before the project planning and execution start, and this activity can be defined within other planning documents of the project, as we will present in this article.

    For more information about getting top management buy-in, please read: 4 crucial techniques for convincing your top management about ISO 27001 implementation and Four key benefits of ISO 27001 implementation.

    Roles
    Activities Top management Project Team Unit Heads / Process Owners / Interested Parties Employees / Users
    Identifying the Information Security Management System (ISMS) requirements and interested parties A R C C
    Defining ISMS basic framework (e.g., scope, policy, etc.) A R C I
    Development of the risk assessment and treatment methodology A R C I
    Performing the risk assessment and defining the risk treatment plan A R C C
    Controls implementation I R A I
    Training and awareness of personnel I R A I
    Controls operation I R A/R R
    Performance monitoring and measurement I R A/R R
    Performing the internal audit I A/R C C
    Performing management review A R C I
    Addressing nonconformities, corrective actions, and opportunities for improvement A R R I

    Legend: R – Responsible; A – Accountable; C – Consulted; I – Informed

    Table 1 – RACI Matrix for an ISMS implementation project

    As you may have noticed, top management involvement happens mostly at the beginning and at the end of the project. By defining the Unit Heads / Process Owners / Interested Parties as Accountable for the phases related to controls implementation and measurement, the organization can enforce and maintain their commitment to the project (in this configuration, the implementation results will be as relevant to them as to the implementation project team).

    Where to document the RACI matrix

    You can document the RACI matrix either as a separate document or as part of your Project Plan. Regarding the person responsible for obtaining top management buy-in for the project, normally the plan’s author would be that person (sometimes known as the project sponsor).

    Of course, you should document specific details about these responsibilities in the various documents of the project, if such exist, like schedule, budget, communication plan, and other documents that you will develop as part of the ISO 27001 implementation.

    When documenting the details, it is important to note that when a role is designated as “A/R,” this means that, besides the accountability, that role will also have a management action to perform regarding that activity, while a single “R” means the performance of an operational aspect of the activity.

    For example, for the performance monitoring and measurement, the head of the department is responsible for reviewing the measurement results and defining the proper actions, while employees have the responsibility to perform the measurements and carry out the actions decided by the head of the department.

    RACI matrix – A useful tool for your ISO 27001 implementation project

    The RACI matrix can be one of your best tools during an ISO 27001 implementation, because it helps define and clarify everyone’s responsibilities in the necessary activities, helping to reduce miscommunication and implementation errors.

    Regardless of the methodology you may be using for your implementation of ISO 27001, this matrix can provide you with a clear overview of responsibilities without “reinventing the wheel.” The benefit? Projects on time and on cost, bringing satisfaction and expected results to all interested parties.

    Use this free online training ISO 27001:2013 Lead Implementer Course to learn more about roles and responsibilities in ISO 27001 implementation.

    Advisera Rhand Leal
    Author
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.