RACI matrix for ISO 27001 implementation project

Very often, an ISO 27001 implementation project is a multi-level and multidisciplinary endeavor, where personnel involved have different roles and responsibilities as the project progresses.

To help clarify and control personnel involvement and to establish the information security roles and responsibilities matrix, many projects make use of the RACI matrix in this article, we’ll show one example of how to apply it to an ISO 27001 implementation project.

The ISO 27001 RACI matrix is based on the four most common responsibilities:
  • Responsible
  • Accountable
  • Consulted
  • Informed

ISO 27001 RACI matrix basic concepts

RACI is a form of responsibility assignment presentation, and is named after the four most common responsibilities used: Responsible, Accountable, Consulted, and Informed.

  • Responsible: Refers to those who do the work to complete the task.
  • Accountable: Designates the person who ultimately answer for the results of an activity, and also who delegates the work to the people who will execute it.
  • Consulted: Refers to those who sought be heard on the related activity, and with whom there is two-way communication.
  • Informed: Designates those who sought to be kept up-to-date on the progress of the activity, and with whom there is just one-way communication.

In some situations, the same role that is accountable for an activity may also be responsible for its execution.

RACI matrix for ISO 27001 project implementation

Considering the previous definitions, the following table presents a suggestion for an ISO 27001 RACI matrix covering general activities related to an ISO 27001 implementation project and the roles involved. For more information about the listed activities, please read this ISO 27001 implementation checklist.

It is important to note that the information security roles and responsibilities matrix was developed assuming that the project already has top management buy-in. Obtaining the management buy-in is critical to the success of the project, but in terms of the RACI matrix, this activity would only add unnecessary complexity. Obtaining management approval is only done once before the project planning and execution start, and this activity can be defined within other planning documents of the project, as we will present in this article.

For more information about getting top management buy-in, please read: 4 crucial techniques for convincing your top management about ISO 27001 implementation and Four key benefits of ISO 27001 implementation.

Activities Top management Project Team Unit Heads / Process Owners / Interested Parties Employees / Users
Identifying the Information Security Management System (ISMS) requirements and interested parties A R C C
Defining ISMS basic framework (e.g., scope, policy, etc.) A R C I
Development of the risk assessment and treatment methodology A R C I
Performing the risk assessment and defining the risk treatment plan A R C C
Controls implementation I R A I
Training and awareness of personnel I R A I
Controls operation I R A/R R
Performance monitoring and measurement I R A/R R
Performing the internal audit I A/R C C
Performing management review A R C I
Addressing nonconformities, corrective actions, and opportunities for improvement A R R I

Legend: R – Responsible; A – Accountable; C – Consulted; I – Informed

Table 1 – RACI Matrix for an ISMS implementation project

As you may have noticed, top management involvement happens mostly at the beginning and at the end of the project. By defining the Unit Heads / Process Owners / Interested Parties as Accountable for the phases related to controls implementation and measurement, the organization can enforce and maintain their commitment to the project (in this configuration, the implementation results will be as relevant to them as to the implementation project team).

Where to document the RACI matrix

You can document the RACI matrix either as a separate document or as part of your Project Plan. Regarding the person responsible for obtaining top management buy-in for the project, normally the plan’s author would be that person (sometimes known as the project sponsor).

Of course, you should document specific details about these responsibilities in the various documents of the project, if such exist, like schedule, budget, communication plan, and other documents that you will develop as part of the ISO 27001 implementation.

When documenting the details, it is important to note that when a role is designated as “A/R,” this means that, besides the accountability, that role will also have a management action to perform regarding that activity, while a single “R” means the performance of an operational aspect of the activity.

For example, for the performance monitoring and measurement, the head of the department is responsible for reviewing the measurement results and defining the proper actions, while employees have the responsibility to perform the measurements and carry out the actions decided by the head of the department.

RACI matrix – A useful tool for your ISO 27001 implementation project

The ISO 27001 RACI matrix can be one of your best tools during an ISO 27001 implementation, because it helps define and clarify everyone’s responsibilities in the necessary activities, helping to reduce miscommunication and implementation errors.

Regardless of the methodology you may be using for your implementation of ISO 27001, this information security roles and responsibilities matrix can provide you with a clear overview of responsibilities without “reinventing the wheel.” The benefit? Projects on time and on cost, bringing satisfaction and expected results to all interested parties.

To see all the necessary tasks for ISMS implementation and maintenance, and learn how to comply with ISO 27001 with less bureaucracy, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.