CALL US 1-888-553-2256
CountryCountry

The ISO 27001 & ISO 22301 Blog

Rhand Leal

RACI matrix for ISO 27001 implementation project

Very often, an ISO 27001 implementation project is a multi-level and multidisciplinary endeavor, where personnel involved have different roles and responsibilities as the project progresses.

To help clarify and control personnel involvement, many projects make use of the RACI matrix, and in this article, we’ll show one example of how to apply it to an ISO 27001 implementation project.

RACI matrix basic concepts

blogpost-banner-bia-en

RACI is a form of responsibility assignment presentation, and is named after the four most common responsibilities used: Responsible, Accountable, Consulted, and Informed.

  • Responsible: Refers to those who do the work to complete the task.
  • Accountable: Designates the person who ultimately answer for the results of an activity, and also who delegates the work to the people who will execute it.
  • Consulted: Refers to those who sought be heard on the related activity, and with whom there is two-way communication.
  • Informed: Designates those who sought to be kept up-to-date on the progress of the activity, and with whom there is just one-way communication.

In some situations, the same role that is accountable for an activity may also be responsible for its execution.

RACI matrix for ISO 27001 project implementation

Considering the previous definitions, the following table presents a suggestion for a RACI matrix covering general activities related to an ISO 27001 implementation project and the roles involved. For more information about the listed activities, please read this ISO 27001 implementation checklist.

It is important to note that the matrix was developed assuming that the project already has top management buy-in. Obtaining the management buy-in is critical to the success of the project, but in terms of the RACI matrix, this activity would only add unnecessary complexity. Obtaining management approval is only done once before the project planning and execution start, and this activity can be defined within other planning documents of the project, as we will present in this article.

For more information about getting top management buy-in, please read: 4 crucial techniques for convincing your top management about ISO 27001 implementation and Four key benefits of ISO 27001 implementation.

Roles
ActivitiesTop managementProject TeamUnit Heads / Process Owners / Interested PartiesEmployees / Users
Identifying the Information Security Management System (ISMS) requirements and interested partiesARCC
Defining ISMS basic framework (e.g., scope, policy, etc.)ARCI
Development of the risk assessment and treatment methodologyARCI
Performing the risk assessment and defining the risk treatment planARCC
Controls implementationIRAI
Training and awareness of personnelIRAI
Controls operationIRA/RR
Performance monitoring and measurementIRA/RR
Performing the internal auditIA/RCC
Performing management reviewARCI
Addressing nonconformities, corrective actions, and opportunities for improvementARRI

Legend: R – Responsible; A – Accountable; C – Consulted; I – Informed

Table 1 – RACI Matrix for an ISMS implementation project

As you may have noticed, top management involvement happens mostly at the beginning and at the end of the project. By defining the Unit Heads / Process Owners / Interested Parties as Accountable for the phases related to controls implementation and measurement, the organization can enforce and maintain their commitment to the project (in this configuration, the implementation results will be as relevant to them as to the implementation project team).

Where to document the RACI matrix

You can document the RACI matrix either as a separate document or as part of your Project Plan. Regarding the person responsible for obtaining top management buy-in for the project, normally the plan’s author would be that person (sometimes known as the project sponsor).

Of course, you should document specific details about these responsibilities in the various documents of the project, if such exist, like schedule, budget, communication plan, and other documents that you will develop as part of the ISO 27001 implementation.

When documenting the details, it is important to note that when a role is designated as “A/R,” this means that, besides the accountability, that role will also have a management action to perform regarding that activity, while a single “R” means the performance of an operational aspect of the activity.

For example, for the performance monitoring and measurement, the head of the department is responsible for reviewing the measurement results and defining the proper actions, while employees have the responsibility to perform the measurements and carry out the actions decided by the head of the department.

RACI matrix – A useful tool for your ISO 27001 implementation project

The RACI matrix can be one of your best tools during an ISO 27001 implementation, because it helps define and clarify everyone’s responsibilities in the necessary activities, helping to reduce miscommunication and implementation errors.

Regardless of the methodology you may be using for your implementation of ISO 27001, this matrix can provide you with a clear overview of responsibilities without “reinventing the wheel.” The benefit? Projects on time and on cost, bringing satisfaction and expected results to all interested parties.

Use this free online training ISO 27001:2013 Lead Implementer Course to learn more about roles and responsibilities in ISO 27001 implementation.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.